{"id":"MAL-2026-10094","summary":"Malicious code in @equansservices/setup (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b071598889a04c74a8398157555ccfffda5bbc713429df4cafbcf48df7f811af)\npackage.json declares a postinstall hook (`node setup.js`) that fires automatically on `npm install`. setup.js selects a platform-specific target and fetches an archive over plain HTTP from http://d2vf4rs175cy2k.cloudfront.net/install/v1/plugin.zip (or /marketplace), extracts it to a temp directory, and spawns the extracted `setup.exe` on Windows or `python3 setup.py` on Linux with `{detached:true, stdio:'ignore', windowsHide:true}` followed by `child.unref()`. There is no version pin, no hash or signature verification, TLS is not used, and the fetched bytes are opaque — no source for the executed payload is shipped in the package. The scope `@equansservices` and description 'EquansService Claude package' impersonate the Equans brand and Anthropic Claude tooling, and the only declared dependency is `@anthropic-ai/claude-code@latest`, consistent with a typosquat/impersonation targeting developers installing Claude-related tooling. Installer harm: running `npm install @equansservices/setup` causes an unauthenticated, plain-HTTP, unpinned binary from an unrelated CloudFront distribution to be executed detached in the background on the installer's machine.\n","modified":"2026-07-09T21:16:57.220796576Z","published":"2026-07-09T20:21:25Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.1"],"modified_time":"2026-07-09T20:21:48Z","import_time":"2026-07-09T21:03:50.613925195Z","id":"IN-MAL-2026-009395","source":"amazon-inspector","sha256":"af49918aec2d33ec0f55cae1c79cd6b98e10ffc27572b78edf3f59ee9a46d586"},{"versions":["1.0.0"],"modified_time":"2026-07-09T20:21:33Z","import_time":"2026-07-09T21:03:50.384359987Z","id":"IN-MAL-2026-009393","source":"amazon-inspector","sha256":"b071598889a04c74a8398157555ccfffda5bbc713429df4cafbcf48df7f811af"},{"versions":["1.0.2"],"modified_time":"2026-07-09T20:21:25Z","import_time":"2026-07-09T21:03:50.324031926Z","id":"IN-MAL-2026-009392","source":"amazon-inspector","sha256":"de6b00a3ccce88c581fe5d533d7fff3b12bc63a4c238fb1bd35bb44a7bf20184"},{"versions":["1.0.3"],"modified_time":"2026-07-09T20:21:41Z","import_time":"2026-07-09T21:03:50.49423589Z","source":"amazon-inspector","id":"IN-MAL-2026-009394","sha256":"f6f639fa1c0061aadff22026dbfdbad89a425be941b9b8a84dfce39ca1012a82"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@equansservices/setup/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@equansservices/setup/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@equansservices/setup/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@equansservices/setup/v/1.0.3"}],"affected":[{"package":{"name":"@equansservices/setup","ecosystem":"npm","purl":"pkg:npm/%40equansservices/setup"},"versions":["1.0.1","1.0.0","1.0.2","1.0.3"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@equansservices/setup/MAL-2026-10094.json","indicators":{"evidence_files":[{"tlsh":"9d91b78c1af3b3300b7215d927ef5476aa638103710ae9acb55c02686fca01d957b3df","sha256":"78fc439a0f4e2a8d981f9624c08fdfc3e02a47974f32aec4ee6504e2009f4e2b","path":"setup.js"},{"path":"package.json","sha256":"6de2939401a1d9a9af0aa223dd6581743ea6273a9722a896553f2a4843276e7f","tlsh":"83d0a764dc97967320c93ae11d3b441766398e8a1188bc5927e3015487cdaaa6c79316"}],"package_integrity":[{"filename":"setup-1.0.1.tgz","hashes":{"sha1":"337ee8dcaf30141f23d44befa0b14536ddab408f","sha512_sri":"sha512-Cil4hjih4hos2XTI8Idz0v5jkCBkL3TX+3qBxeerBr+V0L4I4SaKf5phpkALXMAZ4YOce+vAG5STpwCakQqtvg=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}