npm · Malicious package advisory
Malware@equansservices/codex
MAL-2026-10399
Malicious code in @equansservices/codex (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9) @equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook (`node setup.js`) that, at `npm install` time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature verification, extracts it to a temp directory, and spawns it detached (aws.exe on Windows, python3 upgrade.py on Linux). Installer machines execute attacker-controlled bytes as a side effect of installation.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.