MAL-2026-3769
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/prettier-lint-lenz/MAL-2026-3769.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3769
- Published
- 2026-05-14T19:25:15Z
- Modified
- 2026-05-15T07:51:35.668368Z
- Summary
- Malicious code in prettier-lint-lenz (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (28f7035dda69170600724a31f4b3543e02ac23c9153f3a62c35f2ee5264eef44)
Package impersonates the popular
prettierformatter — README and description are copied verbatim from the real Prettier project, but the package ships no formatter code. Instead,package.jsondeclares"postinstall": "node index.mjs", which on Windows POSTs an install beacon to a hardcoded bare-IP C2 (http://204.10.194.64:5000/api/nonce), copies a bundledprettier-lint/directory to%LOCALAPPDATA%\prettier-lint, and executesctll.mjsfrom the deployed location.ctll.mjswrites a hidden VBScript runner and registers a Windows Scheduled Task namedCdllProtectwith a LogonTrigger (schtasks /Create /XML) that relaunchescdll.mjsviawscript.exe //nologoin a hidden window on every user logon, with 999 retries and no execution time limit. The deployedcdll.mjspolls the clipboard every ~250ms viapowershell.exe Get-Clipboard -Rawand POSTs the raw clipboard text as JSON to the same hardcoded endpoint over plain HTTP on every change, exfiltrating passwords, 2FA codes, wallet addresses, and any copied text. All three components (install-time beacon, deployed worker, persistence) share the attacker-controlled endpoint204.10.194.64:5000. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002706", "sha256": "28f7035dda69170600724a31f4b3543e02ac23c9153f3a62c35f2ee5264eef44", "modified_time": "2026-05-14T19:25:15Z", "versions": [ "1.0.0" ], "import_time": "2026-05-15T07:37:17.487092762Z", "source": "amazon-inspector" }, { "id": "IN-MAL-2026-002707", "sha256": "81348c27286005b3399de72570527ed0afc1414830a74fae852229bcfda31e01", "modified_time": "2026-05-14T19:25:15Z", "versions": [ "2.6.4" ], "import_time": "2026-05-15T07:37:17.579703965Z", "source": "amazon-inspector" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / prettier-lint-lenz
Package
- Name
- prettier-lint-lenz
- View open source insights on deps.dev
- Purl
- pkg:npm/prettier-lint-lenz
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]
indicators
{
"evidence_files": [
{
"path": "README.md",
"sha256": "f1f5a86cd0fd0f6a288882527830a9bbbd5851e3238c4d7426b7bbb496165cd1",
"tlsh": "3b61ddb385a5074c67c086d0dad93848ea1bbdefbec13548ece9c7327b441e9456718b"
},
{
"path": "index.mjs",
"sha256": "75e96575895242a3370297d99314ec583140ef9fb9d99e5eee8ac047f6ee66f5",
"tlsh": "a53103e340b74f701bf255cabe1ed87712e701113649bc64bd6e4b389bda428960258d"
},
{
"path": "prettier-lint/cdll.mjs",
"sha256": "36474b07d134b1cb0619bd374247861d4a213bc853f0f277112c5087f8b58036",
"tlsh": "1cb1a85a94fe0a36c3b330785b1fe05652679103374deda0b99c0a60bfa64398657acd"
},
{
"path": "prettier-lint/ctll.mjs",
"sha256": "571bb394b72fd8d3efef691b06fd3ed66257373812caf229bb51ea6af3067bdb",
"tlsh": "4d81fa0b6892c7310ff232c4241ed95927bf01133a85e98077ec86b5afb706a82725c9"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "e4d96da8ce9384c4ff4e17e7b072423e4bd5ad56",
"sha512_sri": "sha512-YqVgAg9sGZXiYyHT+9bDrJZD+rdKBcfWyjxGoe0xhdmjQUJLAtBQX1OpR4afWuikwu0z3LyMF0oF0HNqEzoqhg=="
},
"filename": "prettier-lint-lenz-1.0.0.tgz"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/prettier-lint-lenz/MAL-2026-3769.json"