MAL-2026-10399
Malicious code in @equansservices/codex (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9) @equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook (`node setup.js`) that, at `npm install` time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature verification, extracts it to a temp directory, and spawns it detached (aws.exe on Windows, python3 upgrade.py on Linux). Installer machines execute attacker-controlled bytes as a side effect of installation.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @equansservices/codex (npm). Pin to a known-safe version or switch to an alternative.