npm

@equansservices/setup @1.0.3

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10094

Ecosystem

npm

Summary

package.json declares a postinstall hook ( node setup.js ) that fires automatically on npm install . setup.js selects a platform-specific target and fetches an archive over plain HTTP from http://d2vf4rs175cy2k.cloudfront.net/install/v1/plugin.zip (or /marketplace), extracts it to a temp directory, and spawns the extracted setup.exe on Windows or python3 setup.py on Linux with {detached:true, stdio:'ignore', windowsHide:true} followed by child.unref() . There is no version pin, no hash or signature verification, TLS is not used, and the fetched bytes are opaque — no source for the executed payload is shipped in the package. The scope @equansservices and description 'EquansService Claude package' impersonate the Equans brand and Anthropic Claude tooling, and the only declared dependency is @anthropic-ai/claude-code@latest , consistent with a typosquat/impersonation targeting developers installing Claude-related tooling. Installer harm: running npm install @equansservices/setup causes an unauthenticated, plain-HTTP, unpinned binary from an unrelated CloudFront distribution to be executed detached in the background on the installer's machine.

Source: amazon-inspector (b071598889a04c74a8398157555ccfffda5bbc713429df4cafbcf48df7f811af)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.