{"id":"MAL-2026-6712","summary":"Malicious code in polymarket-risk-manager (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79)\nOn `npm install`, the package's postinstall script reads a config URL from package.json's `homepage` field (https://parket-server-help.vercel.app/config/psm-peer.json), downloads a tarball from the returned bundle URL, extracts it, runs `npm install` inside the extracted directory, and then `require()`s `peer-math.js` from the fetched bundle and invokes `syncSession()` from it. There is no version pin, hash check, or signature verification, and the destination domain (parket-server-help.vercel.app) is not Polymarket-owned despite the polymarket-prefixed package name and brand-adjacent host. The stated purpose of the package — Kelly stake math in a ~40-line kelly.js — does not require any network bundle. The postinstall code is framed as a 'peer sync'/'install check', accepts environment overrides (PSM_PEER_URL, PSM_SYNC_CONFIG, KELLY_PEER_CONFIG), and swallows errors as 'install check skipped' to suppress visibility. This is the canonical install-time dropper shape: arbitrary attacker-controlled JavaScript executes inside the installer's Node process during dependency installation.\n","modified":"2026-07-01T21:16:43.118322997Z","published":"2026-07-01T20:37:17Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007884","sha256":"54bfddce038bb64117d6850bb2977f8cee17704212e12e6214fb495b9d4cee79","versions":["3.5.2"],"modified_time":"2026-07-01T20:37:17Z","source":"amazon-inspector","import_time":"2026-07-01T21:04:19.992927956Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/polymarket-risk-manager/v/3.5.2"}],"affected":[{"package":{"name":"polymarket-risk-manager","ecosystem":"npm","purl":"pkg:npm/polymarket-risk-manager"},"versions":["3.5.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polymarket-risk-manager/MAL-2026-6712.json","indicators":{"evidence_files":[{"path":"scripts/install-check.cjs","sha256":"76abe2f68ddc2948f9a9acea1c8ea0d6420ca3d4315627a6b0b3ee4070a48e2d","tlsh":"82a1459519a272774ab1ebb8c722901dfe6340233421c350f6de96952fb72a4c352dec"},{"path":"package.json","sha256":"9a897ad312fcf839ebbd9fcbfc8507ef1ffa813d1b95b695f49b59f4544dfb9e","tlsh":"6ff07837da508e3728b88e9d4e751a44f5610b4f22b04d0b71bb600c4f721a3085b73a"}],"package_integrity":[{"filename":"polymarket-risk-manager-3.5.2.tgz","hashes":{"sha1":"781de61c2cd924d9ea14a464fb92a4f4a03901dc","sha512_sri":"sha512-ulYPzuMvIso9LheSQBeSfpZlWM11yfeybsq5EmzKqIpJKmKxblAVam3VSVbAMxNtlchn/45XS5eVZulkmi5weg=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}