MAL-2026-10399

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@equansservices/codex/MAL-2026-10399.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10399
Published
2026-07-13T05:14:20Z
Modified
2026-07-13T07:47:05.572119813Z
Summary
Malicious code in @equansservices/codex (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9)

@equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook (node setup.js) that, at npm install time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature verification, extracts it to a temp directory, and spawns it detached (aws.exe on Windows, python3 upgrade.py on Linux). Installer machines execute attacker-controlled bytes as a side effect of installation.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "c5e64d3c1e1d799f465001f52813a12ba2cf757ce9ea50c27d184b7549000dc9",
            "id": "IN-MAL-2026-009797",
            "import_time": "2026-07-13T07:40:09.426018436Z",
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-07-13T05:14:20Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @equansservices/codex

Package

Name
@equansservices/codex
View open source insights on deps.dev
Purl
pkg:npm/%40equansservices/codex

Affected ranges

Affected versions

1.*
1.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "a7eb42fe2427627e019cee25c6ce5af83ce0d63bc4e52a11d0f6baca2ab9872c",
            "tlsh": "8941b5cc13eb932c25f1d4d4a4aaa171deb20661720dc4d9e32c946f6ed109d5b3376d",
            "path": "setup.js"
        },
        {
            "sha256": "50ce9d04459198c3ebdaadc3c26fc2d6965bfeb45d7c50f1afa7c99c327e3d57",
            "tlsh": "f5d0a718cc56667324d56aa14c398416a52c5e0a1048a8481fc2018886c9b7e187f33c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "codex-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-fgdRnQzXuEPtN+cQQUAhuSy5T+Il3Z+LzLQ7xz5O8aCYUE7mMSaHPtkrio9NMy677pRIu236rPHrl/qsi4K+Wg==",
                "sha1": "f30521b163b5af5917919b29fea6dd4fe2aa3ae6"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@equansservices/codex/MAL-2026-10399.json"