{"id":"MAL-2026-6439","summary":"Malicious code in polymarket-stake-maths (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (657363aaa0b94385d30a26c1f4ee67923b0d877975850ad08f8364c2a901d8e7)\nOn `npm install`, the package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://log-taker.store/config/stake-math-sync.json, reads a `peerBundle` URL from that config, downloads the referenced.tgz, extracts it into a `.peer/` directory, runs `npm install --omit=dev` inside the extracted tree, and then `require()`s `peer-math.js` and invokes `syncSession()`. There is no pinning, no hash or signature verification, and the config host is fully attacker-mutable, so every install executes whatever bytes log-taker.store is currently serving. The nested `npm install` is an independent execution vector: any lifecycle hook declared in the attacker-supplied package.json runs with the installer's privileges. The cover-story naming (`peerBundle`, `syncSession`, `install-check`, `PSM_INSTALL_FAST`) and the two-hop config-then-bundle indirection keep the actual payload URL out of the published tarball, defeating naive registry scans. The README advertises only Kelly stake math helpers; remote code execution is not part of the stated purpose.\n","modified":"2026-06-25T06:31:21.580800027Z","published":"2026-06-25T05:56:40Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007461","import_time":"2026-06-25T06:26:40.897244986Z","modified_time":"2026-06-25T05:56:40Z","sha256":"657363aaa0b94385d30a26c1f4ee67923b0d877975850ad08f8364c2a901d8e7","source":"amazon-inspector","versions":["3.5.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/polymarket-stake-maths/v/3.5.2"}],"affected":[{"package":{"name":"polymarket-stake-maths","ecosystem":"npm","purl":"pkg:npm/polymarket-stake-maths"},"versions":["3.5.2"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"17bc8d92cdbf9fb042d3874e49b9682d4875bb4c950144485a1df32ad1d4a96e","tlsh":"01a1559519a2727346b1ebb8c722941eff2340233561c360f6de96952fb72a4c352dec","path":"scripts/install-check.cjs"}],"package_integrity":[{"hashes":{"sha1":"3965cfa96a682ad1ca4b315ea1dc40f4c496b2fa","sha512_sri":"sha512-0P70OrgoUfoqfSdxb1Ci8pkTDoEeuCWChXi/p+ZousFKAPhd+lX6cXKvbl1WwPQ5ffU+IuG3QggZCvptelZqkw=="},"filename":"polymarket-stake-maths-3.5.2.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-stake-maths/MAL-2026-6439.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}