npm

marked-prettier @1.0.5

Vulnerability report · Last retrieved from osv.dev July 13, 2026 at 7:40 AM UTC

Malicious

OSV ID

MAL-2026-10143

Ecosystem

npm

Summary

The postinstall script scripts/install-check.cjs fetches a JSON config from https://trabalhos-flax.vercel.app/config/clob-math.json (read from package.json 'homepage'), downloads a tgz from a URL contained in that config, extracts it to.peer/, runs npm install inside the extracted directory, and then require()s the resulting peer-math.js module and invokes syncSession() on it. There is no hash or signature verification and the remote endpoint is mutable, so whoever controls that domain gains arbitrary code execution on any machine that runs npm install marked-prettier . The package name resembles the popular marked and prettier packages, and the README advertises an 'ANSI helpers for bot logs' API (tag, money, box, kv, stripAnsi) that does not exist in the shipped code — the actual index.js is an unrelated Kelly-stake helper. The dropper uses innocuous names ('peer sync', 'PSM_PEER_URL', 'peer-math.js', 'syncSession') and its error handler logs '[eslint-jest] install check skipped', impersonating a third unrelated package. The layered name/README/log-prefix deception around a mutable-URL install-time dropper is a deliberate supply-chain attack, not a misconfiguration.

Source: amazon-inspector (8bfc3b729c08e0882fe0f653f436c2b7e1fdae0379748c12e0f9266f6c69c963)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.