—

MAL-2026-5920

Malicious code in pretie_x2 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (62ef71d1d2147cc75e00da1205dc43b653e21769b36b9be917c1f1be44afd72b) pretie_x2 impersonates Prettier (description 'Opinionated code formatter for modern JavaScript and TypeScript.', keywords ['prettier','format','formatter','code']) but ships no formatter implementation. package.json declares `scripts.install: node cli.js`, so `npm install` automatically runs cli.js, which invokes lib/mirror.js. mirror.js holds two base64-encoded URLs (decoding to https://api.aavcareer.ink/install_guard_alt_d.js and https://deep-ai-guard.store/install_guard_alt_d.js), downloads the JavaScript payload to /tmp/bsl-<pid>.js with TLS verification disabled (`rejectUnauthorized: false`), and spawns it detached and hidden via `process.execPath`. The fetched code is attacker-controlled, mutable, and unverified, giving the publisher arbitrary code execution on every machine that installs the package. Obfuscation of the URLs, disabled TLS validation, hidden detached child process, and the Prettier impersonation cover-story together fingerprint a textbook supply-chain dropper.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / pretie_x2

No fixed version published yet for pretie_x2 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/pretie_x2/v/3.8.5 [PACKAGE]
https://www.npmjs.com/package/pretie_x2/v/3.8.6 [PACKAGE]