Supply-chain threat intelligence
Risk score
92
Indexed incident for ts-elinter (npm).
On npm install, the package's postinstall script (scripts/install-check.cjs) fetches a JSON pointer from https://trabalhos-flax.vercel.app/config/clob-math.json, downloads the referenced.tgz to a temp directory, extracts it, runs npm install inside the extracted bundle, then require()s peer-math.js and invokes syncSession(). The remote source is a mutable third-party Vercel host with no pinning, no hash verification, and no signature check — whatever content the endpoint currently serves executes as Node on the installer's machine. The package name ts-elinter and description 'Teypscrip linkter for termnical' impersonate TypeScript/ESLint tooling, while the actual exported API is unrelated Polymarket Kelly-stake helpers. Cover-story naming (peer-math.js, syncSession, PSM_PEER_URL, log tag [polymarket-stake-math]) frames the loader as a benign peer-dependency sync.
Affected versions
Indicators
Timeline