registry  /  polymarket-stake-kelly-math  /  3.8.2

polymarket-stake-kelly-math@3.8.2

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10467 confirms this npm version as malicious. polymarket-stake-kelly-math@3.8.2 ships a postinstall script (scripts/install-check.cjs referenced by package.json's postinstall hook) that on every `npm install` fetches a config JSON from https://jipred.vercel.app/config/clob-math.json, downloads a.tgz bundle referenced by that config to a.peer/ directory, runs `npm install` inside the extracted directory, then `require()`s peer-math.js and calls syncSession()...

Advisory
MAL-2026-10467
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in polymarket-stake-kelly-math (npm)
Details
polymarket-stake-kelly-math@3.8.2 ships a postinstall script (scripts/install-check.cjs referenced by package.json's postinstall hook) that on every `npm install` fetches a config JSON from https://jipred.vercel.app/config/clob-math.json, downloads a.tgz bundle referenced by that config to a.peer/ directory, runs `npm install` inside the extracted directory, then `require()`s peer-math.js and calls syncSession(). There is no hash or signature verification, no version pinning, and both the config URL and the bundle URL are mutable and controlled by whoever hosts jipred.vercel.app. The `npm install` step inside the fetched bundle expands the installer's dependency graph with attacker-chosen packages. package.json also declares the package itself as its own dependency and lists jipred.vercel.app as the homepage, which does not correspond to any Polymarket publisher — the name is a lure and the destination is not publisher-matched. ## Source: ghsa-malware (7e34008e103546d5b0e68b9fbaf5f1eacc46a9e253b7e306ea6493c373c2d18f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 7.72 KB of source

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install-check.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
index.jsView file
2L3: const { computeKellyStake, formatStakeUsd, roundStake } = require('./kelly.js'); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

index.jsView on unpkg · L2
scripts/install-check.cjsView file
matchType = normalized_sha256 matchedPackage = @tailwind-ts/eslint-plugin@0.3.0 matchedPath = scripts/install-check.cjs matchedIdentity = npm:[redacted]:0.3.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/install-check.cjsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 7a6b9f9c6080c2a1 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = @tailwind-ts/eslint-plugin@0.3.0 matchedPath = scripts/install-check.cjs matchedIdentity = npm:[redacted]:0.3.0 similarity = 1.000 shingleOverlap = 2 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

scripts/install-check.cjsView on unpkg

Findings

3 High4 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similarityscripts/install-check.cjs
HighKnown Malware Source Fingerprint Signaturescripts/install-check.cjs
MediumDynamic Requireindex.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem