Malware in prettier-sdk
Malware was discovered in the npm package prettier-sdk, resulting in full system compromise for any installation. The package grants outside entities complete control of affected systems.
- Disclosed
- Last updated
- Blast radius
- Any system with prettier-sdk installed or running
- Ecosystems
- Attack vectors
- Affected entities
- prettier-sdknpm package
A critical malware incident was identified in the npm package prettier-sdk. According to the GitHub Advisory (GHSA-hwr7-qq29-qrf2), any computer with this package installed or running should be considered fully compromised.\n\nThe malware grants complete control of the affected system to an outside entity. All secrets and cryptographic keys stored on compromised machines should be rotated immediately from a different, unaffected computer.\n\nWhile the package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the initial compromise, given the level of system access obtained.\n\nUsers should treat any system that installed or ran prettier-sdk as potentially containing persistent backdoors or additional malware beyond the package itself.
Indicators of compromise
- Packages
- prettier-sdk
Remediation
- Immediately remove the prettier-sdk package from all systems
- Rotate all secrets, API keys, and cryptographic credentials from a clean, unaffected computer
- Perform forensic analysis on affected systems to identify any additional malware or persistence mechanisms
- Consider full system reimaging or replacement if the system handles sensitive data or credentials
- Audit all access logs and network connections from affected systems during the period of compromise
- Monitor for unauthorized access or lateral movement from compromised systems to other network resources
Sources
- GitHub Advisory GHSA-hwr7-qq29-qrf2 · GitHub Advisory Database
Cite this entry
"Malware in prettier-sdk." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 10, 2026; last updated June 10, 2026. https://supplychainattack.org/incident/malware-in-prettier-sdk-18p1w0
Suggest a correction
Found an error or have a newer source? Corrections to factual errors take priority over new entries.
Related incidents
- activecritical
Malware in transportator
The npm package transportator contains malware that grants full system compromise to attackers. Any computer with this package installed or running should be considered fully compromised and all secrets and keys rotated immediately from a different machine.
npmCompromised package - containedcritical
Malware in vite-react-toolkit
The npm package vite-react-toolkit contained malware that provided full system compromise to attackers. Any computer with this package installed should be considered fully compromised and all secrets and keys rotated immediately from a different machine.
npmCompromised package - resolvedcritical
Malware in @malwguy/ecto-corsair-whisper-3d2a7c
The npm package @malwguy/ecto-corsair-whisper-3d2a7c contains malware that grants full system compromise to an outside entity. Any computer with this package installed or running should be considered fully compromised.
npmCompromised package - containedcritical
Malware in coral-wraith
Malware was discovered in the npm package coral-wraith. Systems with the package installed or running should be considered fully compromised and require immediate remediation.
npmCompromised package