`polymarket-clob-math` — Polymarket SDK impersonator with Vercel-hosted unsigned tarball loader
On 2026-06-27 17:20 UTC an operator published polymarket-clob-math@1.0.4 to npm — an impersonator of the legitimate @polymarket/clob-client math helper. A postinstall script fetches a JSON config from an unverified Vercel domain (PSM_PEER_URL), downloads and extracts an unpinned mutable tarball whose contents the operator can swap at will, and executes the resulting attacker JavaScript on the installer. Internal references (peer-math.js, syncSession) masquerade it as a benign dependency-sync mechanism. npm-support replaced 1.0.4 with a 0.0.1-security holder on 2026-06-29.
- Detected by
- Amazon Inspector · OpenSSF Package Analysis · GitHub Security Advisory
- Also known as
- Polymarket peer-math impersonator
- Ecosystems
- npm
- Packages tracked
- 1
What happened
On 2026-06-27 17:20:50 UTC, an operator published polymarket-clob-math@1.0.4 to the unscoped npm namespace. The package masquerades as a math helper for the Polymarket CLOB (central limit order book) SDK — the legitimate package is @polymarket/clob-client under the @polymarket scope. Internal symbols in the published code use legitimate-sounding names (PSM_PEER_URL, peer-math.js, syncSession) so a quick package-page audit reads as a benign peer-sync utility.
Install-time loader chain
The package.json declares a postinstall script that, on every npm install, fetches a JSON configuration from an external Vercel domain bound to the PSM_PEER_URL reference. The JSON response names a tarball URL (unsigned, unpinned, no integrity hash). The postinstall hook downloads the tarball, extracts it locally, and executes the resulting JavaScript with the installer's full Node-process privileges. Because the JSON config and tarball are served from attacker-controlled Vercel infrastructure, the operator can rotate the executed second-stage payload without ever republishing the npm package — lockfile pinning of polymarket-clob-math@1.0.4 does NOT pin what the dropper fetches at install time, only the dropper itself.
Polymarket-targeting context
The target audience is the population of developers building on the Polymarket order book. A typosquat under the unscoped name catches autocomplete-blind dependency adds (e.g. typing npm install polymarket-clob-math instead of @polymarket/clob-client) and any tooling that resolves bare names without an enforced scope policy. Polymarket-targeting supply-chain attacks have a prior history in the npm and crates ecosystems — the crates-2026-02-05-polymarket-typosquats record in this database tracks the cross-ecosystem version of the same operator-class targeting.
Disclosure timeline
- 2026-06-27 17:20:50 UTC —
polymarket-clob-math@1.0.4published to npm. - 2026-06-28 06:02 UTC — OSSF malicious-packages records
MAL-2026-6556ingested from Amazon Inspector; OpenSSF Package Analysis adds an independent flag. - 2026-06-29 03:17:21 UTC — npm-support replaces
polymarket-clob-mathwith a0.0.1-securityholder; GHSA mirrors asGHSA-3q5w-m6wr-5jp2.
Affected packages (1)
- npm
polymarket-clob-math1.0.4
Impact
- Install-time arbitrary code execution —
postinstallfetches a JSON config from a mutable Vercel-hosted endpoint, downloads the linked tarball without hash pinning or signature verification, extracts it on the installer's machine, and executes the bundled JavaScript with the installer's privileges - Mutable second-stage payload — because the JSON config and tarball live on attacker-controlled Vercel infrastructure, the operator can change the executed code retroactively without republishing the npm package; lockfile pinning of
polymarket-clob-math@1.0.4does NOT pin the dropped payload - Target audience is Polymarket builders — the package name and the legitimate-sounding
peer-math/syncSessioninternal terminology aim to catch developers wiring up to the real@polymarket/clob-clientwho autocomplete-blind install the unscoped lookalike instead - Per the GHSA advisory: any system that installed
polymarket-clob-math@1.0.4should be considered fully compromised; all reachable secrets and keys require rotation from a separate clean device
What to do
- 1Remove every reference to
polymarket-clob-mathfrompackage.json/ lockfiles / CI image layers — the name now serves a0.0.1-securityholder, sonpm installwill hard-fail until you delete the line - 2Use the legitimate
@polymarket/clob-clientpackage under the@polymarketnpm scope; verify the maintainer is thepolymarketorg - 3Treat any host that ran
npm installagainstpolymarket-clob-math@1.0.4as fully compromised: rotate npm tokens, GitHub tokens, AWS / GCP / Azure CLI tokens, SSH keys, and any Polymarket / on-chain trading credentials or signer keys reachable from that host, from a separate clean device - 4Block the package's Vercel C2 host at egress; grep CI runner logs for
PSM_PEER_URLreferences or any outbound HTTPS to*.vercel.appsince 2026-06-27 - 5Scan internal Artifactory / Nexus / Verdaccio mirrors for cached
polymarket-clob-mathtarballs and purge them — the npm-support takedown does not flush private caches