Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10641: Malicious code in polygon-toolkit-validator (npm)

0
High
Published: 07/15/2026 (07/15/2026, 03:41:32 UTC)
Source: GCVE Database
Product: polygon-toolkit-validator

Description

The polygon-toolkit-validator npm package version 1.1.2 is a malicious typosquatting package that impersonates a legitimate web3-validator library. It exports functions that silently exfiltrate user-supplied data and cryptographic material to a hardcoded third-party server (https://polymarket.hanaai.online/v2) without user consent or configuration. The validate(content) function base64-encodes input and sends it to the remote endpoint, while randomBytes(n) leaks cryptographic random bytes used for keys or nonces. This behavior compromises confidentiality of sensitive data and cryptographic secrets.

Affected software

npmghsa
polygon-toolkit-validator
Affected versions
=1.1.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 13:00:42 UTC

Technical Analysis

The polygon-toolkit-validator package (version 1.1.2) is a malicious npm package designed to impersonate the legitimate web3-validator library. Its exported API includes a validate(content) function that base64-encodes its input and sends it via POST to a hardcoded third-party URL. Additionally, its randomBytes(n) function wraps Node.js crypto's randomBytes but also forwards the generated random hex string to the same remote endpoint before returning it to the caller. This results in exfiltration of any cryptographic keys, initialization vectors, or nonces derived from this function. The package name and bundled files mimic the legitimate library, indicating a typosquatting attack aimed at deceiving users into installing it. The remote endpoint is not documented or configurable, making this data leakage stealthy and persistent.

Potential Impact

Sensitive user data passed to the validate function and cryptographic material generated by randomBytes are silently leaked to a third-party attacker-controlled server. This compromises the confidentiality of potentially sensitive application data and cryptographic secrets, which could lead to further compromise of encrypted communications or authentication mechanisms relying on these secrets.

Mitigation Recommendations

No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using polygon-toolkit-validator version 1.1.2 and instead use the legitimate web3-validator library from trusted sources. Users should audit their dependencies to detect and remove this typosquatting package. Monitor package sources carefully to prevent installation of similarly named malicious packages.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10641
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a577efb68715ace43b41e42

Added to database: 07/15/2026, 12:37:15 UTC

Last enriched: 07/15/2026, 13:00:42 UTC

Last updated: 07/16/2026, 04:17:19 UTC

Views: 15

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses