VDB
KO

MAL-2026-10094

Malicious code in @equansservices/setup (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b071598889a04c74a8398157555ccfffda5bbc713429df4cafbcf48df7f811af) package.json declares a postinstall hook (`node setup.js`) that fires automatically on `npm install`. setup.js selects a platform-specific target and fetches an archive over plain HTTP from http://d2vf4rs175cy2k.cloudfront.net/install/v1/plugin.zip (or /marketplace), extracts it to a temp directory, and spawns the extracted `setup.exe` on Windows or `python3 setup.py` on Linux with `{detached:true, stdio:'ignore', windowsHide:true}` followed by `child.unref()`. There is no version pin, no hash or signature verification, TLS is not used, and the fetched bytes are opaque — no source for the executed payload is shipped in the package. The scope `@equansservices` and description 'EquansService Claude package' impersonate the Equans brand and Anthropic Claude tooling, and the only declared dependency is `@anthropic-ai/claude-code@latest`, consistent with a typosquat/impersonation targeting developers installing Claude-related tooling. Installer harm: running `npm install @equansservices/setup` causes an unauthenticated, plain-HTTP, unpinned binary from an unrelated CloudFront distribution to be executed detached in the background on the installer's machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @equansservices/setup

No fixed version published yet for @equansservices/setup (npm). Pin to a known-safe version or switch to an alternative.

References