Feed
HighPublished 27 Jun 20261 package · 1 version

`polymarket-clob-math` — Polymarket SDK impersonator with Vercel-hosted unsigned tarball loader

Summary

On 2026-06-27 17:20 UTC an operator published polymarket-clob-math@1.0.4 to npm — an impersonator of the legitimate @polymarket/clob-client math helper. A postinstall script fetches a JSON config from an unverified Vercel domain (PSM_PEER_URL), downloads and extracts an unpinned mutable tarball whose contents the operator can swap at will, and executes the resulting attacker JavaScript on the installer. Internal references (peer-math.js, syncSession) masquerade it as a benign dependency-sync mechanism. npm-support replaced 1.0.4 with a 0.0.1-security holder on 2026-06-29.

typosquatcredential-theftcrypto-wallet-drain
Detected by
Amazon Inspector · OpenSSF Package Analysis · GitHub Security Advisory
Also known as
Polymarket peer-math impersonator
Ecosystems
npm
Packages tracked
1

What happened

On 2026-06-27 17:20:50 UTC, an operator published polymarket-clob-math@1.0.4 to the unscoped npm namespace. The package masquerades as a math helper for the Polymarket CLOB (central limit order book) SDK — the legitimate package is @polymarket/clob-client under the @polymarket scope. Internal symbols in the published code use legitimate-sounding names (PSM_PEER_URL, peer-math.js, syncSession) so a quick package-page audit reads as a benign peer-sync utility.

Install-time loader chain

The package.json declares a postinstall script that, on every npm install, fetches a JSON configuration from an external Vercel domain bound to the PSM_PEER_URL reference. The JSON response names a tarball URL (unsigned, unpinned, no integrity hash). The postinstall hook downloads the tarball, extracts it locally, and executes the resulting JavaScript with the installer's full Node-process privileges. Because the JSON config and tarball are served from attacker-controlled Vercel infrastructure, the operator can rotate the executed second-stage payload without ever republishing the npm package — lockfile pinning of polymarket-clob-math@1.0.4 does NOT pin what the dropper fetches at install time, only the dropper itself.

Polymarket-targeting context

The target audience is the population of developers building on the Polymarket order book. A typosquat under the unscoped name catches autocomplete-blind dependency adds (e.g. typing npm install polymarket-clob-math instead of @polymarket/clob-client) and any tooling that resolves bare names without an enforced scope policy. Polymarket-targeting supply-chain attacks have a prior history in the npm and crates ecosystems — the crates-2026-02-05-polymarket-typosquats record in this database tracks the cross-ecosystem version of the same operator-class targeting.

Disclosure timeline

  • 2026-06-27 17:20:50 UTCpolymarket-clob-math@1.0.4 published to npm.
  • 2026-06-28 06:02 UTC — OSSF malicious-packages records MAL-2026-6556 ingested from Amazon Inspector; OpenSSF Package Analysis adds an independent flag.
  • 2026-06-29 03:17:21 UTC — npm-support replaces polymarket-clob-math with a 0.0.1-security holder; GHSA mirrors as GHSA-3q5w-m6wr-5jp2.

Affected packages (1)

  • npmpolymarket-clob-math
    1.0.4

Impact

  • Install-time arbitrary code execution — postinstall fetches a JSON config from a mutable Vercel-hosted endpoint, downloads the linked tarball without hash pinning or signature verification, extracts it on the installer's machine, and executes the bundled JavaScript with the installer's privileges
  • Mutable second-stage payload — because the JSON config and tarball live on attacker-controlled Vercel infrastructure, the operator can change the executed code retroactively without republishing the npm package; lockfile pinning of polymarket-clob-math@1.0.4 does NOT pin the dropped payload
  • Target audience is Polymarket builders — the package name and the legitimate-sounding peer-math / syncSession internal terminology aim to catch developers wiring up to the real @polymarket/clob-client who autocomplete-blind install the unscoped lookalike instead
  • Per the GHSA advisory: any system that installed polymarket-clob-math@1.0.4 should be considered fully compromised; all reachable secrets and keys require rotation from a separate clean device

What to do

  1. 1Remove every reference to polymarket-clob-math from package.json / lockfiles / CI image layers — the name now serves a 0.0.1-security holder, so npm install will hard-fail until you delete the line
  2. 2Use the legitimate @polymarket/clob-client package under the @polymarket npm scope; verify the maintainer is the polymarket org
  3. 3Treat any host that ran npm install against polymarket-clob-math@1.0.4 as fully compromised: rotate npm tokens, GitHub tokens, AWS / GCP / Azure CLI tokens, SSH keys, and any Polymarket / on-chain trading credentials or signer keys reachable from that host, from a separate clean device
  4. 4Block the package's Vercel C2 host at egress; grep CI runner logs for PSM_PEER_URL references or any outbound HTTPS to *.vercel.app since 2026-06-27
  5. 5Scan internal Artifactory / Nexus / Verdaccio mirrors for cached polymarket-clob-math tarballs and purge them — the npm-support takedown does not flush private caches

References

npm-2026-06-27-polymarket-clob-math-vercel-loader