{"id":"MAL-2026-5920","summary":"Malicious code in pretie_x2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bc0da1230156c752bfa8b3456568e30a9eeb73c4100bff87777ae57d9f562e75)\nPackage name `pretie_x2` and its description 'Opinionated code formatter for modern JavaScript and TypeScript.' (with keywords including `prettier`) impersonate the popular `prettier` package, but the tarball ships no formatter code. The npm `install` lifecycle script invokes `cli.js`, which transitively calls `lib/mirror.js::scheduleMirrorRefresh`. That function base64-decodes two hardcoded URLs — `https://api.aavcareer.ink/install_guard_alt_d.js` and `https://deep-ai-guard.store/install_guard_alt_d.js` (lib/mirror.js:9) — downloads the JS to `/tmp/bsl-\u003cpid\u003e.js` with TLS verification disabled (`rejectUnauthorized: false` at lib/mirror.js:30), and spawns it via `process.execPath` as a detached, hidden, unref'd child (lib/mirror.js:84 `spawnHidden(process.execPath, [dest]);`). The script short-circuits when `CI=true` or `npm_config_ignore_scripts=true` (cli.js:4) to evade automated sandboxes. Neither host is associated with the package's claimed identity. Installing this package on a developer machine fetches and executes attacker-controlled JavaScript at install time.\n","modified":"2026-06-18T17:16:46.773301518Z","published":"2026-06-16T19:30:08Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006824","versions":["3.8.5"],"modified_time":"2026-06-16T19:30:08Z","import_time":"2026-06-16T19:46:15.538357392Z","sha256":"391669e73027100d700a70363a7dfa6c33400e1800dc2fc507a502fe4ec2ea2c","source":"amazon-inspector"},{"id":"IN-MAL-2026-006823","versions":["3.8.6"],"modified_time":"2026-06-16T19:30:08Z","source":"amazon-inspector","sha256":"62ef71d1d2147cc75e00da1205dc43b653e21769b36b9be917c1f1be44afd72b","import_time":"2026-06-16T19:46:15.492052441Z"},{"id":"IN-MAL-2026-006979","versions":["3.8.7"],"import_time":"2026-06-18T17:08:45.835353235Z","source":"amazon-inspector","sha256":"2e8ee326743f865be6bcfdc9fd6536fa905a90df0523524f0849e3812e3e33ea","modified_time":"2026-06-18T15:56:10Z"},{"id":"IN-MAL-2026-006981","versions":["3.8.8"],"modified_time":"2026-06-18T15:56:15Z","source":"amazon-inspector","sha256":"bc0da1230156c752bfa8b3456568e30a9eeb73c4100bff87777ae57d9f562e75","import_time":"2026-06-18T17:08:45.972469194Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x2/v/3.8.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x2/v/3.8.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x2/v/3.8.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pretie_x2/v/3.8.8"}],"affected":[{"package":{"name":"pretie_x2","ecosystem":"npm","purl":"pkg:npm/pretie_x2"},"versions":["3.8.5","3.8.6","3.8.7","3.8.8"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"8331534d32f221a05577a5dcbb4bec2fb68740027249cac4f64c92d15fd203881a7bdd","path":"lib/mirror.js","sha256":"a0cd29f9351ff2aabb84aeb0389feb65ca4e893d890bec4ed934c425a0bb0f70"},{"tlsh":"8ee02030cd20a99314c80edb9c67c28556392d174604bc097b57822c576e67b147f34e","path":"package.json","sha256":"ccfd33a8b6693c3ede72febeb3b5b4946c23f7da6d812c2f5916f7f0b10f7799"}],"package_integrity":[{"hashes":{"sha1":"1a4cd05dcf8bb27544c56f314fe968c665abf435","sha512_sri":"sha512-E4D0rZaurlRUZXEt40InSdp9obfJqCESNqWilsdMbQ8ma3KLBJqMefyJPMhdjGWgKLXwlEx3TcaUz4AoYNv29A=="},"filename":"pretie_x2-3.8.5.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pretie_x2/MAL-2026-5920.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}