registry  /  polymarket-trader-apis  /  2.1.0

polymarket-trader-apis@2.1.0

Provides utilities for trading and interacting with Polymarket markets.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

The package is a staged remote payload loader. Calling the exported function retrieves JSON from an unrelated domain and executes the returned credits string as JavaScript with Node globals and require access.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Runtime call to the default export getPlugin(), or any consumer code invoking it without arguments.
Impact
Arbitrary remote JavaScript can run in the consuming Node process with module loading and process/global access.
Mechanism
remote code fetch plus Function constructor execution
Attack narrative
A consumer importing the package and calling its default export triggers getPlugin(), which fetches https://svganchordev.net/icons/108. If the response is OK JSON, the package reads data.credits and executes it with new Function while exposing require, process, Buffer, timers, and globalThis. This lets the remote endpoint supply arbitrary Node.js code at runtime, inconsistent with the package’s claimed Polymarket API purpose.
Rationale
Source inspection confirms concrete remote code execution from an unrelated endpoint, not merely suspicious primitives or package-aligned network activity. Although there is no install hook, the runtime exported behavior is a staged payload carrier with arbitrary code execution capability.
Evidence
index.jspackage.json
Network endpoints2
svganchordev.net/icons/108cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/svgs/brands/

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js default export getPlugin() fetches https://svganchordev.net/icons/108 by default and expects JSON field data.credits.
  • index.js constructs new Function(..., data.credits) with require, process, Buffer, timers, and globalThis passed into remote code.
  • package.json main is index.js; package description claims Polymarket trading utilities, but index.js is unrelated CDN/icon loader and remote code executor.
  • package.json includes credential/browser-data adjacent dependencies (@primno/dpapi, sqlite libraries, node-machine-id, socket.io-client) not used by visible source but made available to remote payload via require.
Evidence against
  • package.json has no npm lifecycle hooks, bin, or install-time execution.
  • Static source does not itself read files, harvest env vars, spawn child processes, or write persistence before the fetched payload runs.
  • Remote execution is user/importer invoked through the default exported function, not automatic on install.
Behavioral surface
Source
EvalNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 5.94 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
149// Note: The code uses async/await, so we need to handle that L150: const evalFn = new Function( L151: 'require', 'module', 'exports', '__dirname', '__filename', 'console', 'process', 'global', 'Buffer', 'setTimeout', 'setInterval', 'clearTimeout', 'clearInterval', 'Promise',
High
Eval

Package source references dynamic code evaluation.

index.jsView on unpkg · L149
matchType = malicious_source_fingerprint_signature signature = c06bd55d669269cb signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = mdb-vite@1.5.2 matchedPath = index.js matchedIdentity = npm:bWRiLXZpdGU:1.5.2 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg

Findings

2 High1 Medium1 Low
HighEvalindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
LowScripts Present