registry  /  prettier-plugin-base  /  1.0.0

prettier-plugin-base@1.0.0

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed attack surface is established. Importing the package exposes only fixed-string functions.

Static reason
No blocking static signals were detected.
Trigger
User explicitly imports `prettier-plugin-base` and calls a `line*` function.
Impact
No observed credential access, network activity, persistence, execution, or file mutation.
Mechanism
Static local string-returning exports only.
Rationale
Direct source inspection shows a minimal lyric utility with no install-time or runtime attack behavior. The unrelated dependency declaration is not executed or referenced by this package's source.
Evidence
package.jsonindex.jsREADME.md

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10430
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in prettier-plugin-base (npm)
Details
The package was found to contain malicious code or consuming dependency that contains malicious code ## Source: ghsa-malware (12e1efa0356d63d986dfc7b5ffb552aedb5341ba76043370f5e4d1a5dff6804e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Decision evidence

public snapshot
AI called this Clean at 99.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall/prepare lifecycle hook.
    • `index.js` only exports five synchronous functions returning fixed strings.
    • `README.md` documents the same local lyric-returning API.
    • No network, filesystem-write, environment, shell, eval, or dynamic-loading primitive appears in package source.
    Behavioral surface
    SourceNo risky source behavior triggered.
    Supply chain
    Trivial
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 248 B of source

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Low
    LowScripts Present