-= Per source details. Do not edit below this line.=-
package.json declares a postinstall hook (node setup.js) that fires automatically on npm install. setup.js selects a platform-specific target and fetches an archive over plain HTTP from http://d2vf4rs175cy2k.cloudfront.net/install/v1/plugin.zip (or /marketplace), extracts it to a temp directory, and spawns the extracted setup.exe on Windows or python3 setup.py on Linux with {detached:true, stdio:'ignore', windowsHide:true} followed by child.unref(). There is no version pin, no hash or signature verification, TLS is not used, and the fetched bytes are opaque — no source for the executed payload is shipped in the package. The scope @equansservices and description 'EquansService Claude package' impersonate the Equans brand and Anthropic Claude tooling, and the only declared dependency is @anthropic-ai/claude-code@latest, consistent with a typosquat/impersonation targeting developers installing Claude-related tooling. Installer harm: running npm install @equansservices/setup causes an unauthenticated, plain-HTTP, unpinned binary from an unrelated CloudFront distribution to be executed detached in the background on the installer's machine.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"id": "IN-MAL-2026-009395",
"import_time": "2026-07-09T21:03:50.613925195Z",
"modified_time": "2026-07-09T20:21:48Z",
"sha256": "af49918aec2d33ec0f55cae1c79cd6b98e10ffc27572b78edf3f59ee9a46d586",
"source": "amazon-inspector"
},
{
"sha256": "b071598889a04c74a8398157555ccfffda5bbc713429df4cafbcf48df7f811af",
"id": "IN-MAL-2026-009393",
"import_time": "2026-07-09T21:03:50.384359987Z",
"modified_time": "2026-07-09T20:21:33Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
},
{
"sha256": "de6b00a3ccce88c581fe5d533d7fff3b12bc63a4c238fb1bd35bb44a7bf20184",
"id": "IN-MAL-2026-009392",
"import_time": "2026-07-09T21:03:50.324031926Z",
"modified_time": "2026-07-09T20:21:25Z",
"versions": [
"1.0.2"
],
"source": "amazon-inspector"
},
{
"sha256": "f6f639fa1c0061aadff22026dbfdbad89a425be941b9b8a84dfce39ca1012a82",
"id": "IN-MAL-2026-009394",
"import_time": "2026-07-09T21:03:50.49423589Z",
"modified_time": "2026-07-09T20:21:41Z",
"versions": [
"1.0.3"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "78fc439a0f4e2a8d981f9624c08fdfc3e02a47974f32aec4ee6504e2009f4e2b",
"tlsh": "9d91b78c1af3b3300b7215d927ef5476aa638103710ae9acb55c02686fca01d957b3df",
"path": "setup.js"
},
{
"tlsh": "83d0a764dc97967320c93ae11d3b441766398e8a1188bc5927e3015487cdaaa6c79316",
"sha256": "6de2939401a1d9a9af0aa223dd6581743ea6273a9722a896553f2a4843276e7f",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "setup-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-Cil4hjih4hos2XTI8Idz0v5jkCBkL3TX+3qBxeerBr+V0L4I4SaKf5phpkALXMAZ4YOce+vAG5STpwCakQqtvg==",
"sha1": "337ee8dcaf30141f23d44befa0b14536ddab408f"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@equansservices/setup/MAL-2026-10094.json"