MAL-2026-5919

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (89d8ae456a928aa545f213f6153cbae4cf60ab8d320c029ab3c604afd9ed7d34) pretie_x1 impersonates the popular prettier package (description copies prettier's tagline; keywords include 'prettier', 'format', 'formatter') but ships no formatter functionality. On npm install, package.json's scripts.install runs node cli.js, which reaches lib/mirror.js. That file stores two C2 URLs as base64 literals (GUARD_LOC decoding to https://api.aavcareer.ink/install_guard_d.js and a fallback decoding to https://deep-ai-guard.store/install_guard_d.js), downloads JavaScript via https.get with rejectUnauthorized: false (TLS certificate validation disabled), writes it to os.tmpdir()/bsl-<pid>.js, and executes it via spawn(process.execPath, [dest]) detached and hidden. The base64 encoding of the endpoints, the disabled TLS verification, and the hidden detached spawn collectively confirm intent to evade scanners and execute attacker-controlled code on the installer's machine. Any developer who mistypes 'prettier' as 'pretie_x1' grants the attacker arbitrary code execution under their user account.