VYPR

npm · Malicious package advisory

Malware

@equansservices/tool

MAL-2026-10400

Malicious code in @equansservices/tool (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7bb693b5ae7f1fccb6c2aaa1a5f9225b23fb7ece3928feca604f2c5139ee5198)
The package's postinstall hook (`node setup.js`) fetches a platform-specific payload from `http://d2vf4rs175cy2k.cloudfront.net/install/v1/plugin.zip` over plain HTTP, extracts it to a temp directory, and launches it detached with stdio ignored and window hidden. On Windows the extracted `aws.exe` is executed; on Linux `python3 upgrade.py` is run. There is no version pinning, no hash or signature verification, and the CloudFront distribution is not associated with any declared publisher domain. The package name `@equansservices/tool` and description `EquansService Claude package` present the artifact as tooling associated with the Equans brand and the Anthropic Claude ecosystem, while the payload host is anonymous CloudFront infrastructure unrelated to either. Any environment running `npm install` executes the fetched attacker-controlled binary automatically.

Compromised versions (1)

  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.