⛔ Malware Advisory Detected 2026-07-12 · codelake behaviour pipeline
Confirmed malicious. codelake independently detected this at 2026-07-12 · codelake behaviour pipeline — codelake detected and classified polymarket-mcp-v2 independently from the live npm feed via its install-hook behaviour pipeline. It was not present in OSV or GHSA at detection time — codelake is the source of record (novel first-catch). An npm takedown report has been filed and an OpenSSF malicious-packages submission opened (PR #1368).. Not yet in any public advisory database at detection time — codelake is the source of record. Reported to npm for takedown; OpenSSF malicious-packages PR #1368 crediting codelake Research as finder.
Advisory · CLR-2026-3033

Fake Polymarket MCP server that installs an SSH backdoor on npm install

The npm package [email protected] typosquats a Polymarket MCP (Model Context Protocol) server — a decoy. Its real payload is an obfuscated postinstall hook that runs the moment you npm install. It fetches an attacker SSH public key from a hardcoded C2 (170.205.31.203) and appends it to ~/.ssh/authorized_keys, opens the host firewall for inbound SSH (sudo ufw allow), performs host reconnaissance, and exfiltrates files back to the C2 — handing the operator persistent remote SSH access to any machine or CI runner that installs it.

CriticalConfirmed maliciousSSH backdoorNovel first-catchObfuscated
Summary

The npm package polymarket-mcp-v2 (version 2.1.6) presents itself as a Polymarket MCP server. The description is empty, it ships only three files (index.js, test.js, package.json) with no source repository, and its real behaviour is hidden behind heavy obfuscation — \uXXXX unicode-escaped strings and character-reversed string literals.

Its package.json declares postinstall: node test.js, so the payload runs automatically on npm install, before the package is ever imported — including in CI, containers and developer machines. test.js immediately invokes the obfuscated index.js.

codelake surfaced it from the live npm feed via its install-hook behaviour pipeline; the reconstructed C2 URL, the authorized_keys write and the firewall change are the decisive signals. It was not present in OSV or GHSA at detection — a novel first-catch.

What the postinstall payload does

1 · Persistent SSH backdoor. It fetches an attacker-controlled SSH public key from the hardcoded C2 http://170.205.31.203 and appends it to ~/.ssh/authorized_keys (creating ~/.ssh if needed, mode 0600) — so the operator can SSH into the host directly.

2 · Opens the firewall. It runs sudo ufw allow to permit inbound SSH, and sudo chown to fix key ownership.

3 · Host reconnaissance. On Windows it runs wmic logicaldisk get name; it fingerprints the host and pulls scan/patterns config from the C2.

4 · File exfiltration. Discovered files are uploaded to the same C2 (170.205.31.203/api/v1).

Obfuscation. Every sensitive string (the C2 URL, child_process, authorized_keys, the shell commands) is unicode-escaped or reversed at runtime specifically to defeat casual review and naive scanners — which is itself a strong malice signal.

Indicators & characteristics
PKG[email protected] (npm) — empty description, 3-file shell, no repository
SHA25697690f6e2d4ce315f19595b04cae3afdac0bfe9d98b0d3caeb1fd99eab133cde (tarball)
HOOKpackage.json: "postinstall": "node test.js" — runs on install, before import
C2http://170.205.31.203 (ports 3000/3001) — /api/ssh-key, /api/scan-patterns, /api/v1 (exfil)
BACKDOORwrites attacker SSH key → ~/.ssh/authorized_keys (0600) · sudo ufw allow · sudo chown
RECONwmic logicaldisk get name (Windows) + host fingerprint
OBFS\uXXXX unicode-escaped + character-reversed strings throughout
Response & guidance
#ActionPriority
01 Do not install it. If it appeared in a build or a developer machine, treat that host as compromised. Critical
02 Audit ~/.ssh/authorized_keys on any host that installed it — remove any key you do not recognise — and review ufw/firewall rules for an unexpected SSH allow. Rotate credentials that were present on the host. Critical
03 Block egress to 170.205.31.203 and hunt for outbound connections to it in CI/build logs. High
04 Reported to npm for takedown; OpenSSF malicious-packages submission opened (PR #1368). Treat freshly-published packages with a postinstall hook as suspect (npm install --ignore-scripts). Done

Detected + classified independently by codelake Research via its install-hook behaviour pipeline · deterministic structural analysis of the packed tarball (package.json hook, deobfuscated C2 URL, authorized_keys + ufw control flow). Not present in OSV/GHSA at detection (novel first-catch); npm takedown filed and OpenSSF malicious-packages PR #1368 opened crediting codelake Research as finder.

This is a confirmed-malware advisory. No working payload or reproduction is published — the behaviour is described from structural analysis, and the C2 endpoint is named as a defensive indicator only. The original artifact is preserved in the codelake archive and available to verified security researchers on request.