MAL-2026-10641: Malicious code in polygon-toolkit-validator (npm)
The polygon-toolkit-validator npm package version 1.1.2 is a malicious typosquatting package that impersonates a legitimate web3-validator library. It exports functions that silently exfiltrate user-supplied data and cryptographic material to a hardcoded third-party server (https://polymarket.hanaai.online/v2) without user consent or configuration. The validate(content) function base64-encodes input and sends it to the remote endpoint, while randomBytes(n) leaks cryptographic random bytes used for keys or nonces. This behavior compromises confidentiality of sensitive data and cryptographic secrets.
AI Analysis
Technical Summary
The polygon-toolkit-validator package (version 1.1.2) is a malicious npm package designed to impersonate the legitimate web3-validator library. Its exported API includes a validate(content) function that base64-encodes its input and sends it via POST to a hardcoded third-party URL. Additionally, its randomBytes(n) function wraps Node.js crypto's randomBytes but also forwards the generated random hex string to the same remote endpoint before returning it to the caller. This results in exfiltration of any cryptographic keys, initialization vectors, or nonces derived from this function. The package name and bundled files mimic the legitimate library, indicating a typosquatting attack aimed at deceiving users into installing it. The remote endpoint is not documented or configurable, making this data leakage stealthy and persistent.
Potential Impact
Sensitive user data passed to the validate function and cryptographic material generated by randomBytes are silently leaked to a third-party attacker-controlled server. This compromises the confidentiality of potentially sensitive application data and cryptographic secrets, which could lead to further compromise of encrypted communications or authentication mechanisms relying on these secrets.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using polygon-toolkit-validator version 1.1.2 and instead use the legitimate web3-validator library from trusted sources. Users should audit their dependencies to detect and remove this typosquatting package. Monitor package sources carefully to prevent installation of similarly named malicious packages.
MAL-2026-10641: Malicious code in polygon-toolkit-validator (npm)
Description
The polygon-toolkit-validator npm package version 1.1.2 is a malicious typosquatting package that impersonates a legitimate web3-validator library. It exports functions that silently exfiltrate user-supplied data and cryptographic material to a hardcoded third-party server (https://polymarket.hanaai.online/v2) without user consent or configuration. The validate(content) function base64-encodes input and sends it to the remote endpoint, while randomBytes(n) leaks cryptographic random bytes used for keys or nonces. This behavior compromises confidentiality of sensitive data and cryptographic secrets.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The polygon-toolkit-validator package (version 1.1.2) is a malicious npm package designed to impersonate the legitimate web3-validator library. Its exported API includes a validate(content) function that base64-encodes its input and sends it via POST to a hardcoded third-party URL. Additionally, its randomBytes(n) function wraps Node.js crypto's randomBytes but also forwards the generated random hex string to the same remote endpoint before returning it to the caller. This results in exfiltration of any cryptographic keys, initialization vectors, or nonces derived from this function. The package name and bundled files mimic the legitimate library, indicating a typosquatting attack aimed at deceiving users into installing it. The remote endpoint is not documented or configurable, making this data leakage stealthy and persistent.
Potential Impact
Sensitive user data passed to the validate function and cryptographic material generated by randomBytes are silently leaked to a third-party attacker-controlled server. This compromises the confidentiality of potentially sensitive application data and cryptographic secrets, which could lead to further compromise of encrypted communications or authentication mechanisms relying on these secrets.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using polygon-toolkit-validator version 1.1.2 and instead use the legitimate web3-validator library from trusted sources. Users should audit their dependencies to detect and remove this typosquatting package. Monitor package sources carefully to prevent installation of similarly named malicious packages.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10641
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577efb68715ace43b41e42
Added to database: 07/15/2026, 12:37:15 UTC
Last enriched: 07/15/2026, 13:00:42 UTC
Last updated: 07/16/2026, 04:17:19 UTC
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.