npm

@equansservices/codex @1.0.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10399

Ecosystem

npm

Summary

@equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook ( node setup.js ) that, at npm install time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature verification, extracts it to a temp directory, and spawns it detached (aws.exe on Windows, python3 upgrade.py on Linux). Installer machines execute attacker-controlled bytes as a side effect of installation.

Source: amazon-inspector (c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.