MAL-2026-4645

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/prettier-sdk/MAL-2026-4645.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4645

Published

2026-05-19T17:04:47Z

Modified

2026-05-26T06:02:50.836629307Z

Summary

Malicious code in prettier-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (80a3bdd18c28c0c045aaed2a3e5725b3b38cb45bc9c16d0b795c4334caed17a5)

Package name prettier-sdk impersonates the top-tier prettier package (~50M weekly downloads), copying its README verbatim and forging metadata (repository: prettier/prettier, homepage: https://prettier.io, author: James Long). The postinstall script node./plugins/preinstall.js base64-decodes a hardcoded URL stored in a misleadingly-named variable HASH_KEY = "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzM2S0VN" (decodes to https://jsonkeeper.com/b/36KEM, an anonymous mutable paste service), HTTP GETs it via axios, and pipes the response body's cookie field to the stdin of a detached node process via spawn('node', [], { detached: true,... }) followed by child.stdin.write(s1); child.unref(). This executes arbitrary attacker-controlled JavaScript on every installer's machine at npm install time, with no integrity check, from a host the attacker can mutate at will. Three independent block signals stack: typosquat-with-malicious-payload against a top-100 package, install-time fetch-and-execute from an anonymous paste host, and base64 obfuscation of the C2 URL.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "2233ad0befd0c3dabc3ad0e9bfcc1276925f1dcf2d4fffd686f45c248e830a2d",
            "modified_time": "2026-05-19T17:04:47Z",
            "id": "IN-MAL-2026-003206",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-05-26T05:50:12.734183313Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "80a3bdd18c28c0c045aaed2a3e5725b3b38cb45bc9c16d0b795c4334caed17a5",
            "modified_time": "2026-05-19T17:04:47Z",
            "id": "IN-MAL-2026-003205",
            "import_time": "2026-05-26T05:50:12.562007513Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}

References

https://www.npmjs.com/package/prettier-sdk/v/1.0.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / prettier-sdk

Package

Name: prettier-sdk; View open source insights on deps.dev
Purl: pkg:npm/prettier-sdk

Affected ranges

Affected versions

1.*

1.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/prettier-sdk/MAL-2026-4645.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "2c457e13a84d6b85177cfaf2f5befed0fd0c1ce0",
                "sha512_sri": "sha512-XNtPUOmhVMtK0ru/0UwmHww/7RfdNtV50qlDNsNhGWVppaZZWwKIU9jhT7TMPiXjs5GLT/t+ls1jXfDfSG83ZQ=="
            },
            "filename": "prettier-sdk-1.0.2.tgz"
        }
    ],
    "domains": [
        "jsonkeeper.com"
    ],
    "evidence_files": [
        {
            "path": "plugins/preinstall.js",
            "sha256": "d07edb9add33cea5b33a5f846577ddaffce002871809a102e91c1b5acd93d44f",
            "tlsh": "1ee0e55f3137a77d1f700ad49832867649129020f282e1e0650a90576a87346054bee8"
        },
        {
            "path": "package.json",
            "sha256": "c8e2124074e396838be64cbfcff445dae95a8ec8636f28a64dbde7950f11d882",
            "tlsh": "a3d15723dace0d2212b42d58d8095ad162da67db6c50fb113bae802c5f4d57fa5ff20e"
        }
    ]
}