{"id":"MAL-2026-10399","summary":"Malicious code in @equansservices/codex (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9)\n@equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook (`node setup.js`) that, at `npm install` time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature verification, extracts it to a temp directory, and spawns it detached (aws.exe on Windows, python3 upgrade.py on Linux). Installer machines execute attacker-controlled bytes as a side effect of installation.\n","modified":"2026-07-13T07:47:05.572119813Z","published":"2026-07-13T05:14:20Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-13T05:14:20Z","source":"amazon-inspector","import_time":"2026-07-13T07:40:09.426018436Z","id":"IN-MAL-2026-009797","versions":["1.0.1"],"sha256":"c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@equansservices/codex/v/1.0.1"}],"affected":[{"package":{"name":"@equansservices/codex","ecosystem":"npm","purl":"pkg:npm/%40equansservices/codex"},"versions":["1.0.1"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"8941b5cc13eb932c25f1d4d4a4aaa171deb20661720dc4d9e32c946f6ed109d5b3376d","sha256":"a7eb42fe2427627e019cee25c6ce5af83ce0d63bc4e52a11d0f6baca2ab9872c","path":"setup.js"},{"tlsh":"f5d0a718cc56667324d56aa14c398416a52c5e0a1048a8481fc2018886c9b7e187f33c","sha256":"50ce9d04459198c3ebdaadc3c26fc2d6965bfeb45d7c50f1afa7c99c327e3d57","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-fgdRnQzXuEPtN+cQQUAhuSy5T+Il3Z+LzLQ7xz5O8aCYUE7mMSaHPtkrio9NMy677pRIu236rPHrl/qsi4K+Wg==","sha1":"f30521b163b5af5917919b29fea6dd4fe2aa3ae6"},"filename":"codex-1.0.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@equansservices/codex/MAL-2026-10399.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}