MAL-2026-5920

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pretie_x2/MAL-2026-5920.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5920

Published

2026-06-16T19:30:08Z

Modified

2026-06-18T17:16:46.773301518Z

Summary

Malicious code in pretie_x2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bc0da1230156c752bfa8b3456568e30a9eeb73c4100bff87777ae57d9f562e75)

Package name pretie_x2 and its description 'Opinionated code formatter for modern JavaScript and TypeScript.' (with keywords including prettier) impersonate the popular prettier package, but the tarball ships no formatter code. The npm install lifecycle script invokes cli.js, which transitively calls lib/mirror.js::scheduleMirrorRefresh. That function base64-decodes two hardcoded URLs — https://api.aavcareer.ink/install_guard_alt_d.js and https://deep-ai-guard.store/install_guard_alt_d.js (lib/mirror.js:9) — downloads the JS to /tmp/bsl-<pid>.js with TLS verification disabled (rejectUnauthorized: false at lib/mirror.js:30), and spawns it via process.execPath as a detached, hidden, unref'd child (lib/mirror.js:84 spawnHidden(process.execPath, [dest]);). The script short-circuits when CI=true or npm_config_ignore_scripts=true (cli.js:4) to evade automated sandboxes. Neither host is associated with the package's claimed identity. Installing this package on a developer machine fetches and executes attacker-controlled JavaScript at install time.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "391669e73027100d700a70363a7dfa6c33400e1800dc2fc507a502fe4ec2ea2c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:30:08Z",
            "versions": [
                "3.8.5"
            ],
            "id": "IN-MAL-2026-006824",
            "import_time": "2026-06-16T19:46:15.538357392Z"
        },
        {
            "sha256": "62ef71d1d2147cc75e00da1205dc43b653e21769b36b9be917c1f1be44afd72b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:30:08Z",
            "id": "IN-MAL-2026-006823",
            "versions": [
                "3.8.6"
            ],
            "import_time": "2026-06-16T19:46:15.492052441Z"
        },
        {
            "sha256": "2e8ee326743f865be6bcfdc9fd6536fa905a90df0523524f0849e3812e3e33ea",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T15:56:10Z",
            "id": "IN-MAL-2026-006979",
            "versions": [
                "3.8.7"
            ],
            "import_time": "2026-06-18T17:08:45.835353235Z"
        },
        {
            "sha256": "bc0da1230156c752bfa8b3456568e30a9eeb73c4100bff87777ae57d9f562e75",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T15:56:15Z",
            "id": "IN-MAL-2026-006981",
            "versions": [
                "3.8.8"
            ],
            "import_time": "2026-06-18T17:08:45.972469194Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / pretie_x2

Package

Name: pretie_x2; View open source insights on deps.dev
Purl: pkg:npm/pretie_x2

Affected ranges

Affected versions

3.*

3.8.5

3.8.6

3.8.7

3.8.8

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pretie_x2/MAL-2026-5920.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "a0cd29f9351ff2aabb84aeb0389feb65ca4e893d890bec4ed934c425a0bb0f70",
            "tlsh": "8331534d32f221a05577a5dcbb4bec2fb68740027249cac4f64c92d15fd203881a7bdd",
            "path": "lib/mirror.js"
        },
        {
            "sha256": "ccfd33a8b6693c3ede72febeb3b5b4946c23f7da6d812c2f5916f7f0b10f7799",
            "tlsh": "8ee02030cd20a99314c80edb9c67c28556392d174604bc097b57822c576e67b147f34e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-E4D0rZaurlRUZXEt40InSdp9obfJqCESNqWilsdMbQ8ma3KLBJqMefyJPMhdjGWgKLXwlEx3TcaUz4AoYNv29A==",
                "sha1": "1a4cd05dcf8bb27544c56f314fe968c665abf435"
            },
            "filename": "pretie_x2-3.8.5.tgz"
        }
    ]
}