Which versions of clob-client-math are malicious?

The following npm versions of clob-client-math are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate clob-client-math if I installed it?

clob-client-math is a typosquat — you almost certainly intended a legitimately-named package. Remove clob-client-math, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed clob-client-math — how do I know if it already compromised me?

If clob-client-math was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is clob-client-math part of a known attack campaign?

Yes — clob-client-math is associated with the IN-MAL-2026-007772 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find clob-client-math across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for clob-client-math (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging clob-client-math across your stack and pipelines.

Malicious package

clob-client-mathnpm

Malicious code in clob-client-math (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6587

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall clob-client-math

What this malware does

On npm install, the package's postinstall script fetches a JSON config from datasecure-service.vercel.app/config/clob-math.json, downloads a tarball from a URL contained in that response, extracts it under a.peer/ directory, runs npm install inside the extracted tree, then require()s the resulting peer-math.js and invokes its syncSession() function. The fetched payload is unpinned, unverified (no hash or signature check), mutable, and hosted on infrastructure unrelated to any documented Polymarket publisher. The dropper path is framed in console output as a benign 'install check' / 'peer sync', while the package's advertised purpose is Kelly-criterion stake sizing math — no part of that purpose requires fetching and executing remote code at install time. The package name and README also impersonate the legitimate @polymarket/clob-client ecosystem, indicating the lure targets Polymarket developers. Installing this package causes arbitrary attacker-controlled code to execute on the installer's machine.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

9e5d9d8399e2b05081019def33eac48372a162c8c9a069c26d4225285ffe0a18

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for clob-client-math (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging clob-client-math across your stack and pipelines.
If you installed it — respond
clob-client-math is a typosquat — you almost certainly intended a legitimately-named package. Remove clob-client-math, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If clob-client-math was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks clob-client-math before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. clob-client-math on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007772

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks clob-client-math-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring