MAL-2026-10399: Malicious code in @equansservices/codex (npm)
@equansservices/codex is a malicious npm package that impersonates the legitimate @openai/codex package. During installation, it executes a postinstall script that downloads and runs attacker-controlled payloads without integrity verification, leading to arbitrary code execution on the installer's machine.
AI Analysis
Technical Summary
@equansservices/codex is a typosquatting malicious package targeting npm users by mimicking the legitimate @openai/codex package. Its package.json includes a postinstall hook that runs 'node setup.js' during npm install. This script downloads a platform-specific payload over unencrypted HTTP from a remote server, extracts it to a temporary directory, and executes it detached (aws.exe on Windows, python3 upgrade.py on Linux). This results in the execution of attacker-controlled code on the system installing the package.
Potential Impact
Systems that install version 1.0.1 of @equansservices/codex will execute arbitrary attacker-controlled code during the npm install process. This can lead to full compromise of the affected machine, including potential data theft, persistence, or further malware deployment.
Mitigation Recommendations
Avoid installing the @equansservices/codex package. Since this is a malicious typosquat package with no vendor advisory or patch available, users should verify package names carefully before installation and use trusted sources. Remove any installations of version 1.0.1 of @equansservices/codex immediately. Consider scanning systems for signs of compromise if this package was installed.
MAL-2026-10399: Malicious code in @equansservices/codex (npm)
Description
@equansservices/codex is a malicious npm package that impersonates the legitimate @openai/codex package. During installation, it executes a postinstall script that downloads and runs attacker-controlled payloads without integrity verification, leading to arbitrary code execution on the installer's machine.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
@equansservices/codex is a typosquatting malicious package targeting npm users by mimicking the legitimate @openai/codex package. Its package.json includes a postinstall hook that runs 'node setup.js' during npm install. This script downloads a platform-specific payload over unencrypted HTTP from a remote server, extracts it to a temporary directory, and executes it detached (aws.exe on Windows, python3 upgrade.py on Linux). This results in the execution of attacker-controlled code on the system installing the package.
Potential Impact
Systems that install version 1.0.1 of @equansservices/codex will execute arbitrary attacker-controlled code during the npm install process. This can lead to full compromise of the affected machine, including potential data theft, persistence, or further malware deployment.
Mitigation Recommendations
Avoid installing the @equansservices/codex package. Since this is a malicious typosquat package with no vendor advisory or patch available, users should verify package names carefully before installation and use trusted sources. Remove any installations of version 1.0.1 of @equansservices/codex immediately. Consider scanning systems for signs of compromise if this package was installed.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10399
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54adf168715ace438f6cc6
Added to database: 07/13/2026, 09:20:49 UTC
Last enriched: 07/13/2026, 09:50:23 UTC
Last updated: 07/13/2026, 09:50:23 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.