MAL-2026-10094

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@equansservices/setup/MAL-2026-10094.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10094
Published
2026-07-09T20:21:25Z
Modified
2026-07-09T21:16:57.220796576Z
Summary
Malicious code in @equansservices/setup (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b071598889a04c74a8398157555ccfffda5bbc713429df4cafbcf48df7f811af)

package.json declares a postinstall hook (node setup.js) that fires automatically on npm install. setup.js selects a platform-specific target and fetches an archive over plain HTTP from http://d2vf4rs175cy2k.cloudfront.net/install/v1/plugin.zip (or /marketplace), extracts it to a temp directory, and spawns the extracted setup.exe on Windows or python3 setup.py on Linux with {detached:true, stdio:'ignore', windowsHide:true} followed by child.unref(). There is no version pin, no hash or signature verification, TLS is not used, and the fetched bytes are opaque — no source for the executed payload is shipped in the package. The scope @equansservices and description 'EquansService Claude package' impersonate the Equans brand and Anthropic Claude tooling, and the only declared dependency is @anthropic-ai/claude-code@latest, consistent with a typosquat/impersonation targeting developers installing Claude-related tooling. Installer harm: running npm install @equansservices/setup causes an unauthenticated, plain-HTTP, unpinned binary from an unrelated CloudFront distribution to be executed detached in the background on the installer's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-009395",
            "import_time": "2026-07-09T21:03:50.613925195Z",
            "modified_time": "2026-07-09T20:21:48Z",
            "sha256": "af49918aec2d33ec0f55cae1c79cd6b98e10ffc27572b78edf3f59ee9a46d586",
            "source": "amazon-inspector"
        },
        {
            "sha256": "b071598889a04c74a8398157555ccfffda5bbc713429df4cafbcf48df7f811af",
            "id": "IN-MAL-2026-009393",
            "import_time": "2026-07-09T21:03:50.384359987Z",
            "modified_time": "2026-07-09T20:21:33Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "de6b00a3ccce88c581fe5d533d7fff3b12bc63a4c238fb1bd35bb44a7bf20184",
            "id": "IN-MAL-2026-009392",
            "import_time": "2026-07-09T21:03:50.324031926Z",
            "modified_time": "2026-07-09T20:21:25Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "f6f639fa1c0061aadff22026dbfdbad89a425be941b9b8a84dfce39ca1012a82",
            "id": "IN-MAL-2026-009394",
            "import_time": "2026-07-09T21:03:50.49423589Z",
            "modified_time": "2026-07-09T20:21:41Z",
            "versions": [
                "1.0.3"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @equansservices/setup

Package

Name
@equansservices/setup
View open source insights on deps.dev
Purl
pkg:npm/%40equansservices/setup

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "78fc439a0f4e2a8d981f9624c08fdfc3e02a47974f32aec4ee6504e2009f4e2b",
            "tlsh": "9d91b78c1af3b3300b7215d927ef5476aa638103710ae9acb55c02686fca01d957b3df",
            "path": "setup.js"
        },
        {
            "tlsh": "83d0a764dc97967320c93ae11d3b441766398e8a1188bc5927e3015487cdaaa6c79316",
            "sha256": "6de2939401a1d9a9af0aa223dd6581743ea6273a9722a896553f2a4843276e7f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "setup-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-Cil4hjih4hos2XTI8Idz0v5jkCBkL3TX+3qBxeerBr+V0L4I4SaKf5phpkALXMAZ4YOce+vAG5STpwCakQqtvg==",
                "sha1": "337ee8dcaf30141f23d44befa0b14536ddab408f"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@equansservices/setup/MAL-2026-10094.json"