{"id":"MAL-2026-4643","summary":"Malicious code in polymarket-clob-client (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec)\nThe package is published as `polymarket-clob-client`, an unscoped lookalike of the legitimate `@polymarket/clob-client` maintained by Polymarket, but the shipped code is the third-party Hyperliquid SDK targeting a completely different exchange. `package.json` declares `\"description\": \"Hyperliquid API SDK for all major JS runtimes...\"` and the homepage points at `github.com/nktkas/hyperliquid`. The HTTP transport in `script/transport/http/mod.js` hardcodes `https://api.hyperliquid.xyz` as the default mainnet endpoint (`exports.MAINNET_API_URL = \"https://api.hyperliquid.xyz\"`). A developer who installs this package believing they are integrating with Polymarket's CLOB will instead be signing wallet messages and submitting trading orders to Hyperliquid. The structural signals — a clear name-squat of a well-known DeFi brand combined with code that silently routes wallet signatures and order intent to an unrelated venue — present concrete installer harm: misdirected funds and trading actions, regardless of whether the misnaming is intentional or negligent.\n","modified":"2026-05-26T06:02:47.644718190Z","published":"2026-05-20T01:22:00Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["2.1.1"],"sha256":"7e0a3a7bbeb25fb478d59cdd4b62ebb34c13e8e236505813660e81abf61e74ec","modified_time":"2026-05-20T01:22:00Z","import_time":"2026-05-26T05:50:29.269215944Z","id":"IN-MAL-2026-003357"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/polymarket-clob-client/v/2.1.1"}],"affected":[{"package":{"name":"polymarket-clob-client","ecosystem":"npm","purl":"pkg:npm/polymarket-clob-client"},"versions":["2.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-clob-client/MAL-2026-4643.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"19318851cdf09ca315c422a06c66da96f03688878d24bc1637de451c4f8c6ef05fe36d","sha256":"2899259fdcf3e3d772eabbb38661a4394198d5bec4a58700319c3a1cd3da4c1e","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"686bb190279dd73143fa1fb423412f9b070e9cbe","sha512_sri":"sha512-kOa3I07Zt6/8LsRnIv4A6iwzi9ZPGUS5Bsa3O1rILgNxzzHxY6OtArvr5XnbGzMIDKTNBVRQopnljFvnsZ8VUw=="},"filename":"polymarket-clob-client-2.1.1.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}