Supply-chain threat intelligence
Risk score
92
Indexed incident for eslintcmd (npm).
The package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://slimopump.vercel.app/config/clob-math.json, downloads the.tgz referenced by that config, extracts it into a.peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js from the extracted bundle and invokes syncSession(). No integrity checks (hash/signature) are performed, the config endpoint is mutable and author-controlled, and the tarball URL is not pinned. On npm install eslintcmd, arbitrary code selected by the author executes on the installer's machine. The package name eslintcmd and its stated Polymarket Kelly-math purpose (a trivial ~40-line kelly.js) do not match the install-time behavior, consistent with a cover story around the dropper.
Affected versions
Indicators
Timeline