OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6585 confirms this npm version as malicious. On `npm install`, the package's postinstall hook (`scripts/install-check.cjs`, wired via package.json `scripts.postinstall`) fetches a JSON config from a hardcoded non-publisher host (`https://www.log-prettier.store/config/stake-peer-sync.json`), reads a tgz URL from that config, downloads the tarball, extracts it, runs a nested `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from...
Advisory
MAL-2026-6585
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in stake-math (npm)
Details
On `npm install`, the package's postinstall hook (`scripts/install-check.cjs`, wired via package.json `scripts.postinstall`) fetches a JSON config from a hardcoded non-publisher host (`https://www.log-prettier.store/config/stake-peer-sync.json`), reads a tgz URL from that config, downloads the tarball, extracts it, runs a nested `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from the dropped tree, executing it in the installer's Node process. There is no version pin, hash, or signature check, and the control-plane host is mutable and unrelated to the package's advertised purpose (a small Kelly-stake math helper) or to any legitimate publisher. The package also exhibits identity divergence: `package.json` `name` is `stake-math` while the README presents it as `polymarket-stake-math`, and `homepage` points at the same unrelated `log-prettier.store` domain — consistent with brand impersonation used to lure installers into running the dropper. Installing this version results in arbitrary attacker-controlled code execution on the installer machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms stake-math@3.3.0 as malicious (MAL-2026-6585): Malicious code in stake-math (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory