MAL-2026-6587: Malicious code in clob-client-math (npm)
The npm package clob-client-math version 1.0.0 contains malicious code that executes arbitrary attacker-controlled commands during installation. Its postinstall script fetches and runs unverified remote code from an unrelated third-party server, masquerading as a legitimate Polymarket-related package. This behavior is not required for the package's advertised functionality and poses a direct code execution risk to users installing it.
AI Analysis
Technical Summary
The clob-client-math npm package version 1.0.0 includes a postinstall script that downloads a JSON configuration from an untrusted external URL, which specifies a tarball to fetch and extract. The package then runs npm install inside the extracted directory and executes a JavaScript function from the downloaded code. This remote payload is mutable, unpinned, and unsigned, allowing an attacker to execute arbitrary code on the installer's machine. The package name and README impersonate the legitimate @polymarket/clob-client ecosystem to deceive developers. This constitutes a supply chain attack via a malicious npm package.
Potential Impact
Installing clob-client-math version 1.0.0 results in arbitrary code execution on the installer's system, potentially leading to full system compromise, data theft, or further malware deployment. The malicious payload is fetched dynamically and can be changed by the attacker at any time, increasing risk and unpredictability.
Mitigation Recommendations
Users should avoid installing clob-client-math version 1.0.0. Since no official patch or remediation is indicated, the safest action is to remove this package from any projects and replace it with verified alternatives. Monitor package sources carefully and verify authenticity before installation. No vendor advisory or official fix is currently available; patch status is not yet confirmed — check vendor advisories for updates.
MAL-2026-6587: Malicious code in clob-client-math (npm)
Description
The npm package clob-client-math version 1.0.0 contains malicious code that executes arbitrary attacker-controlled commands during installation. Its postinstall script fetches and runs unverified remote code from an unrelated third-party server, masquerading as a legitimate Polymarket-related package. This behavior is not required for the package's advertised functionality and poses a direct code execution risk to users installing it.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The clob-client-math npm package version 1.0.0 includes a postinstall script that downloads a JSON configuration from an untrusted external URL, which specifies a tarball to fetch and extract. The package then runs npm install inside the extracted directory and executes a JavaScript function from the downloaded code. This remote payload is mutable, unpinned, and unsigned, allowing an attacker to execute arbitrary code on the installer's machine. The package name and README impersonate the legitimate @polymarket/clob-client ecosystem to deceive developers. This constitutes a supply chain attack via a malicious npm package.
Potential Impact
Installing clob-client-math version 1.0.0 results in arbitrary code execution on the installer's system, potentially leading to full system compromise, data theft, or further malware deployment. The malicious payload is fetched dynamically and can be changed by the attacker at any time, increasing risk and unpredictability.
Mitigation Recommendations
Users should avoid installing clob-client-math version 1.0.0. Since no official patch or remediation is indicated, the safest action is to remove this package from any projects and replace it with verified alternatives. Monitor package sources carefully and verify authenticity before installation. No vendor advisory or official fix is currently available; patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6587
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6927e9c7971993826c
Added to database: 06/29/2026, 22:10:49 UTC
Last enriched: 06/29/2026, 22:34:44 UTC
Last updated: 06/30/2026, 00:45:33 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.