MAL-2026-5920

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (62ef71d1d2147cc75e00da1205dc43b653e21769b36b9be917c1f1be44afd72b) pretie_x2 impersonates Prettier (description 'Opinionated code formatter for modern JavaScript and TypeScript.', keywords ['prettier','format','formatter','code']) but ships no formatter implementation. package.json declares `scripts.install: node cli.js`, so `npm install` automatically runs cli.js, which invokes lib/mirror.js. mirror.js holds two base64-encoded URLs (decoding to https://api.aavcareer.ink/install_guard_alt_d.js and https://deep-ai-guard.store/install_guard_alt_d.js), downloads the JavaScript payload to /tmp/bsl-<pid>.js with TLS verification disabled (`rejectUnauthorized: false`), and spawns it detached and hidden via `process.execPath`. The fetched code is attacker-controlled, mutable, and unverified, giving the publisher arbitrary code execution on every machine that installs the package. Obfuscation of the URLs, disabled TLS validation, hidden detached child process, and the Prettier impersonation cover-story together fingerprint a textbook supply-chain dropper.