VDB
KO

MAL-2026-10399

Malicious code in @equansservices/codex (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9) @equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook (`node setup.js`) that, at `npm install` time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature verification, extracts it to a temp directory, and spawns it detached (aws.exe on Windows, python3 upgrade.py on Linux). Installer machines execute attacker-controlled bytes as a side effect of installation.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @equansservices/codex

No fixed version published yet for @equansservices/codex (npm). Pin to a known-safe version or switch to an alternative.

References