pretie_x2 @3.8.9

Summary

Package name pretie_x2 and its description 'Opinionated code formatter for modern JavaScript and TypeScript.' (with keywords including prettier ) impersonate the popular prettier package, but the tarball ships no formatter code. The npm install lifecycle script invokes cli.js , which transitively calls lib/mirror.js::scheduleMirrorRefresh . That function base64-decodes two hardcoded URLs — https://api.aavcareer.ink/install_guard_alt_d.js and https://deep-ai-guard.store/install_guard_alt_d.js (lib/mirror.js:9) — downloads the JS to /tmp/bsl-<pid>.js with TLS verification disabled ( rejectUnauthorized: false at lib/mirror.js:30), and spawns it via process.execPath as a detached, hidden, unref'd child (lib/mirror.js:84 spawnHidden(process.execPath, [dest]); ). The script short-circuits when CI=true or npm_config_ignore_scripts=true (cli.js:4) to evade automated sandboxes. Neither host is associated with the package's claimed identity. Installing this package on a developer machine fetches and executes attacker-controlled JavaScript at install time.

Source: amazon-inspector (bc0da1230156c752bfa8b3456568e30a9eeb73c4100bff87777ae57d9f562e75)