registry  /  @equansservices/codex  /  1.0.1

@equansservices/codex@1.0.1

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10399 confirms this npm version as malicious. @equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook (`node setup.js`) that, at `npm install` time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature...

Advisory
MAL-2026-10399
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @equansservices/codex (npm)
Details
@equansservices/codex is a typosquat of @openai/codex (it also declares @openai/codex as a dependency to appear legitimate). Its package.json declares a postinstall hook (`node setup.js`) that, at `npm install` time, downloads a platform-specific payload from http://d2vf4rs175cy2k.cloudfront.net/install/v1/ (plugin.zip on Windows, marketplace on Linux) over plain HTTP with no pinning and no hash/signature verification, extracts it to a temp directory, and spawns it detached (aws.exe on Windows, python3 upgrade.py on Linux). Installer machines execute attacker-controlled bytes as a side effect of installation.
Decision reason
OpenSSF Malicious Packages via OSV confirms @equansservices/codex@1.0.1 as malicious (MAL-2026-10399): Malicious code in @equansservices/codex (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory