MAL-2026-5919

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pretie_x1/MAL-2026-5919.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5919

Published

2026-06-16T19:29:59Z

Modified

2026-06-18T17:16:46.612329122Z

Summary

Malicious code in pretie_x1 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f6308c285cb943f91fc16f7872bce135b8347b827139f5ad0cf8706ba992f104)

Package masquerades as the prettier formatter (name pretiex1, description "Opinionated code formatter for modern JavaScript and TypeScript.", keywords ["prettier","format","formatter","code"]) but ships no formatter code. package.json declares "scripts.install": "node cli.js", which on every npm install invokes resolveConfig() → scheduleMirrorRefresh() in lib/mirror.js. That function base64-decodes two hardcoded URLs to https://api.aavcareer.ink/installguardd.js and a fallback https://hiring.aavcareer.ink/installguardd.js, downloads the JS to os.tmpdir()/bsl-<pid>.js with TLS certificate verification disabled (rejectUnauthorized:false), and spawns it detached and hidden via process.execPath (lib/mirror.js:80 spawnHidden(process.execPath, [dest])). The destination domain aavcareer.ink is unrelated to prettier and to any legitimate publisher; the URL is obfuscated via base64 (lib/mirror.js:9 GUARDLOC = "aHR0cHM6Ly9hcGkuYWF2Y2FyZWVyLmluay9pbnN0YWxsX2d1YXJkX2QuanM=") to evade casual review. The cli.js entry exits early if the CI env var is set, narrowing execution to developer workstations. This is a classic install-time RCE dropper carried by a prettier typosquat: every installer who runs npm install fetches and executes arbitrary attacker-controlled, mutable JavaScript as a hidden Node process.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "89d8ae456a928aa545f213f6153cbae4cf60ab8d320c029ab3c604afd9ed7d34",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:29:59Z",
            "id": "IN-MAL-2026-006822",
            "versions": [
                "3.8.5"
            ],
            "import_time": "2026-06-16T19:46:15.433122964Z"
        },
        {
            "sha256": "77cc9db4ac92cf896c8902328f37bae55f37ad1baee2385c41cd0302b5a05180",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T21:29:51Z",
            "id": "IN-MAL-2026-006941",
            "versions": [
                "3.8.6"
            ],
            "import_time": "2026-06-17T21:42:17.844916581Z"
        },
        {
            "sha256": "260ad726795ba9d7ebd72fb910a47bbc9d4cbf4278c6521a7189f9a40dc5a094",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T15:56:09Z",
            "id": "IN-MAL-2026-006978",
            "versions": [
                "3.8.8"
            ],
            "import_time": "2026-06-18T17:08:45.725202427Z"
        },
        {
            "sha256": "f6308c285cb943f91fc16f7872bce135b8347b827139f5ad0cf8706ba992f104",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T15:56:10Z",
            "versions": [
                "3.8.7"
            ],
            "id": "IN-MAL-2026-006980",
            "import_time": "2026-06-18T17:08:45.933587425Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / pretie_x1

Package

Name: pretie_x1; View open source insights on deps.dev
Purl: pkg:npm/pretie_x1

Affected ranges

Affected versions

3.*

3.8.5

3.8.6

3.8.7

3.8.8

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pretie_x1/MAL-2026-5919.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "55e38173c851dac7e470e095d40ac11164f6b9cbcba04f3d88387e69f5566d70",
            "tlsh": "0b412c8e24f6317055b3a5e8a71ba81bb19b8003321dcec5f64c82915fd203885a7ed9",
            "path": "lib/mirror.js"
        },
        {
            "sha256": "6a76f58cf5ba4e770c384eb62fafefe0fa22ef5d192184adeeb3956a6edf723a",
            "tlsh": "4ae02030cd20995314c80e9b9c67c28556292d170604bc097f57822c576e67b147f34e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Ce2/L55s6+6PI1cHo86P4DjbId1tQ/JHPhWmmQEWiK6rGnT8F4do8fBTPvaHvH9OXIj8tGg2nU/MhAGA53B6Ag==",
                "sha1": "848bffcbb49d930790755901e342f2da5bc5f7b0"
            },
            "filename": "pretie_x1-3.8.5.tgz"
        }
    ]
}