{"id":"MAL-2026-10083","summary":"Malicious code in clob-math-v2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031)\nPackage presents itself as a Polymarket CLOB math SDK but is published from a domain not owned by Polymarket (polymarket-clob-service.vercel.app; the real project is polymarket.com). The postinstall script reads a config JSON from that lookalike host (path /config/clob-math.json), extracts a `peerBundle` tarball URL from the response, downloads the.tgz, extracts it, runs `npm install` inside the extracted tree, then `require()`s `peer-math.js` from it and invokes `syncSession()`. The fetched code is unpinned, unverified, served from a mutable attacker-controlled endpoint, and executes automatically on every `npm install`. Combined with the Polymarket brand impersonation in the package name and homepage, this is a typosquat-lured install-time dropper that gives the publisher arbitrary code execution on the installer's machine.\n","modified":"2026-07-09T17:31:58.910288748Z","published":"2026-07-09T17:01:08Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009361","import_time":"2026-07-09T17:19:29.083901125Z","versions":["2.0.1"],"source":"amazon-inspector","sha256":"4cd6b75c25c58b35cca1a29500c1608eb1b121e37bd9305ff549d05d73b69031","modified_time":"2026-07-09T17:01:08Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/clob-math-v2/v/2.0.1"}],"affected":[{"package":{"name":"clob-math-v2","ecosystem":"npm","purl":"pkg:npm/clob-math-v2"},"versions":["2.0.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-jISRVZ1xVYBWQYuMjhuB/Y1IDMmfvedX5SDUaakXXf33dma91ueeeiWCVLabgBcW65QJGcY6oxD0f8oV4UY2VQ==","sha1":"6728fd433ad7acf94463195398c61e63939f8046"},"filename":"clob-math-v2-2.0.1.tgz"}],"evidence_files":[{"path":"scripts/install-check.cjs","tlsh":"59a1459519a2727746b1ebb8c722901dfe2340233521c350f6de96952fb72a4c352dec","sha256":"6802db59168709186a085f1bf6c162288ae0482d66a35816bda9f0704d0b709b"},{"path":"package.json","tlsh":"def07837da504e3624b88f6d4e691544f4640b1f22b00d0b70bba11c0fb2163045b739","sha256":"0be964461c750668855e893277248c03e5202602288c7d9997ab5bda440c452c"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clob-math-v2/MAL-2026-10083.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}