{"id":"MAL-2026-5919","summary":"Malicious code in pretie_x1 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f6308c285cb943f91fc16f7872bce135b8347b827139f5ad0cf8706ba992f104)\nPackage masquerades as the prettier formatter (name pretie_x1, description \"Opinionated code formatter for modern JavaScript and TypeScript.\", keywords [\"prettier\",\"format\",\"formatter\",\"code\"]) but ships no formatter code. package.json declares \"scripts.install\": \"node cli.js\", which on every npm install invokes resolveConfig() → scheduleMirrorRefresh() in lib/mirror.js. That function base64-decodes two hardcoded URLs to https://api.aavcareer.ink/install_guard_d.js and a fallback https://hiring.aavcareer.ink/install_guard_d.js, downloads the JS to os.tmpdir()/bsl-\u003cpid\u003e.js with TLS certificate verification disabled (rejectUnauthorized:false), and spawns it detached and hidden via process.execPath (lib/mirror.js:80 spawnHidden(process.execPath, [dest])). The destination domain aavcareer.ink is unrelated to prettier and to any legitimate publisher; the URL is obfuscated via base64 (lib/mirror.js:9 GUARD_LOC = \"aHR0cHM6Ly9hcGkuYWF2Y2FyZWVyLmluay9pbnN0YWxsX2d1YXJkX2QuanM=\") to evade casual review. The cli.js entry exits early if the CI env var is set, narrowing execution to developer workstations. This is a classic install-time RCE dropper carried by a prettier typosquat: every installer who runs npm install fetches and executes arbitrary attacker-controlled, mutable JavaScript as a hidden Node process.\n","modified":"2026-06-18T17:16:46.612329122Z","published":"2026-06-16T19:29:59Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006822","sha256":"89d8ae456a928aa545f213f6153cbae4cf60ab8d320c029ab3c604afd9ed7d34","versions":["3.8.5"],"source":"amazon-inspector","modified_time":"2026-06-16T19:29:59Z","import_time":"2026-06-16T19:46:15.433122964Z"},{"id":"IN-MAL-2026-006941","sha256":"77cc9db4ac92cf896c8902328f37bae55f37ad1baee2385c41cd0302b5a05180","versions":["3.8.6"],"source":"amazon-inspector","modified_time":"2026-06-17T21:29:51Z","import_time":"2026-06-17T21:42:17.844916581Z"},{"id":"IN-MAL-2026-006978","sha256":"260ad726795ba9d7ebd72fb910a47bbc9d4cbf4278c6521a7189f9a40dc5a094","versions":["3.8.8"],"source":"amazon-inspector","modified_time":"2026-06-18T15:56:09Z","import_time":"2026-06-18T17:08:45.725202427Z"},{"id":"IN-MAL-2026-006980","sha256":"f6308c285cb943f91fc16f7872bce135b8347b827139f5ad0cf8706ba992f104","import_time":"2026-06-18T17:08:45.933587425Z","source":"amazon-inspector","modified_time":"2026-06-18T15:56:10Z","versions":["3.8.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x1/v/3.8.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x1/v/3.8.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x1/v/3.8.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x1/v/3.8.7"}],"affected":[{"package":{"name":"pretie_x1","ecosystem":"npm","purl":"pkg:npm/pretie_x1"},"versions":["3.8.5","3.8.6","3.8.8","3.8.7"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"848bffcbb49d930790755901e342f2da5bc5f7b0","sha512_sri":"sha512-Ce2/L55s6+6PI1cHo86P4DjbId1tQ/JHPhWmmQEWiK6rGnT8F4do8fBTPvaHvH9OXIj8tGg2nU/MhAGA53B6Ag=="},"filename":"pretie_x1-3.8.5.tgz"}],"evidence_files":[{"sha256":"55e38173c851dac7e470e095d40ac11164f6b9cbcba04f3d88387e69f5566d70","path":"lib/mirror.js","tlsh":"0b412c8e24f6317055b3a5e8a71ba81bb19b8003321dcec5f64c82915fd203885a7ed9"},{"sha256":"6a76f58cf5ba4e770c384eb62fafefe0fa22ef5d192184adeeb3956a6edf723a","path":"package.json","tlsh":"4ae02030cd20995314c80e9b9c67c28556292d170604bc097f57822c576e67b147f34e"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pretie_x1/MAL-2026-5919.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}