registry  /  polymarket-mcp-v2  /  2.1.6

polymarket-mcp-v2@2.1.6

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time lifecycle executes obfuscated credential theft and persistence logic. It scans local files, uploads matches to a hard-coded IP, and attempts SSH backdoor setup on Linux.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, or runtime import/call of exported functions
Impact
Credential/config file theft and potential unauthorized SSH access to the install host.
Mechanism
install-time data exfiltration and SSH authorized_keys persistence
Attack narrative
On installation, npm runs test.js, which imports index.js and invokes from_str_2() and from_str_1(). from_str_1() recursively finds id.json, config.toml, Config.toml, env, and .env under cwd and posts them to the remote /api/v1 endpoint. from_str_2() fetches attacker-controlled scan patterns and an SSH key, scans home or Windows user paths, uploads found files, appends the fetched key to $HOME/.ssh/authorized_keys on Linux, and opens SSH via ufw commands.
Rationale
Source inspection confirms unconsented postinstall execution with file harvesting, remote upload, and SSH persistence/backdoor behavior. This is concrete malware, not package-aligned MCP functionality or a scanner false positive.
Evidence
package.jsontest.jsindex.js$HOME/.ssh/authorized_keysprocess.cwd() recursive scanos.homedir() recursive scanC:\Users\ recursive scan
Network endpoints4
170.205.31.203:3001/api/ssh-key170.205.31.203:3001/api/scan-patterns170.205.31.203:3001/api/block-patterns170.205.31.203:3001/api/v1

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node test.js.
  • test.js imports package root and calls from_str_2() and from_str_1() during install.
  • index.js fetches attacker-controlled scan/block patterns and SSH key from 170.205.31.203:3001.
  • index.js recursively scans cwd, home directory, and Windows drives for env/config/id files and remote-specified filename patterns.
  • index.js uploads matched files via axios/FormData to http://170.205.31.203:3001/api/v1.
  • index.js appends fetched SSH key to $HOME/.ssh/authorized_keys and runs sudo ufw enable/allow 22/tcp.
Evidence against
  • No legitimate MCP server or Polymarket API implementation is present.
  • Only package.json, test.js, and obfuscated index.js are in the package.
Behavioral surface
Source
ChildProcessNetworkShell
Supply chain
MinifiedProtestware
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 15.8 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node test.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
Runtime dependency names matching Node built-ins: child_process, os
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg
index.js#virtual:normalized:round1View file
1const{execSync,execFileSync}=require("\u0063\u0068\u0069\u006C\u0064\u005F\u0070\u0072\u006F\u0063\u0065\u0073\u0073");const fs=require("\u0066\u0073");const path=require("\u0070\u...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.js#virtual:normalized:round1View on unpkg · L1

Findings

2 High3 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumInstall Persistenceindex.js#virtual:normalized:round1
MediumProtestware
LowScripts Present