OSV Malicious Advisory
scanned 5h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10467 confirms this npm version as malicious. polymarket-stake-kelly-math@3.8.2 ships a postinstall script (scripts/install-check.cjs referenced by package.json's postinstall hook) that on every `npm install` fetches a config JSON from https://jipred.vercel.app/config/clob-math.json, downloads a.tgz bundle referenced by that config to a.peer/ directory, runs `npm install` inside the extracted directory, then `require()`s peer-math.js and calls syncSession()...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
scripts/install-check.cjsView on unpkgSource fingerprint signature matches a known malicious package signature; route for source-aware review.
scripts/install-check.cjsView on unpkg