polymarket-stake-mathsnpm

On npm install, the package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://log-taker.store/config/stake-math-sync.json, reads a peerBundle URL from that config, downloads the referenced.tgz, extracts it into a .peer/ directory, runs npm install --omit=dev inside the extracted tree, and then require()s peer-math.js and invokes syncSession(). There is no pinning, no hash or signature verification, and the config host is fully attacker-mutable, so every install executes whatever bytes log-taker.store is currently serving. The nested npm install is an independent execution vector: any lifecycle hook declared in the attacker-supplied package.json runs with the installer's privileges. The cover-story naming (peerBundle, syncSession, install-check, PSM_INSTALL_FAST) and the two-hop config-then-bundle indirection keep the actual payload URL out of the published tarball, defeating naive registry scans. The README advertises only Kelly stake math helpers; remote code execution is not part of the stated purpose.