@equansservices/tool @1.0.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10400
Ecosystem
npm
Summary
The package's postinstall hook ( node setup.js ) fetches a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/plugin.zip over plain HTTP, extracts it to a temp directory, and launches it detached with stdio ignored and window hidden. On Windows the extracted aws.exe is executed; on Linux python3 upgrade.py is run. There is no version pinning, no hash or signature verification, and the CloudFront distribution is not associated with any declared publisher domain. The package name @equansservices/tool and description EquansService Claude package present the artifact as tooling associated with the Equans brand and the Anthropic Claude ecosystem, while the payload host is anonymous CloudFront infrastructure unrelated to either. Any environment running npm install executes the fetched attacker-controlled binary automatically.
Source: amazon-inspector (7bb693b5ae7f1fccb6c2aaa1a5f9225b23fb7ece3928feca604f2c5139ee5198)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.