Which versions of pretie_x1 are malicious?

The following npm versions of pretie_x1 are flagged malicious: 3.8.5. Treat any of these as compromised.

How do I remediate pretie_x1 if I installed it?

Remove pretie_x1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is pretie_x1 part of a known attack campaign?

Yes — pretie_x1 is associated with the IN-MAL-2026-006822 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect pretie_x1 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking pretie_x1 and packages like it before any post-install script runs.

Malicious package

pretie_x1npm

Malicious code in pretie_x1 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5919

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall pretie_x1

What this malware does

pretie_x1 impersonates the popular prettier package (description copies prettier's tagline; keywords include 'prettier', 'format', 'formatter') but ships no formatter functionality. On npm install, package.json's scripts.install runs node cli.js, which reaches lib/mirror.js. That file stores two C2 URLs as base64 literals (GUARD_LOC decoding to https://api.aavcareer.ink/install_guard_d.js and a fallback decoding to https://deep-ai-guard.store/install_guard_d.js), downloads JavaScript via https.get with rejectUnauthorized: false (TLS certificate validation disabled), writes it to os.tmpdir()/bsl-<pid>.js, and executes it via spawn(process.execPath, [dest]) detached and hidden. The base64 encoding of the endpoints, the disabled TLS verification, and the hidden detached spawn collectively confirm intent to evade scanners and execute attacker-controlled code on the installer's machine. Any developer who mistypes 'prettier' as 'pretie_x1' grants the attacker arbitrary code execution under their user account.

Malicious versions

1 flagged

3.8.5

Indicators of compromise (SHA-256)

89d8ae456a928aa545f213f6153cbae4cf60ab8d320c029ab3c604afd9ed7d34

Frequently asked questions

No. pretie_x1 on npm has been identified as a malicious package (version 3.8.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006822

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection