The contract was announced in the first week of October.
Equifax disclosed the breach of the data of up to 143 million Americans on 7 September. Later it said an additional 2.5 million Americans could be affected.
"There is still no indication of any compromise of the limited IRS data shared under the contract," the agency said.
The awarding of the contract was questioned by Senators Ben Sasse (Republican, Nebraska) and Elizabeth Warren (Democrat, Massachusetts) in a letter sent to the IRS commissioner.
Equifax denied that it was serving malware from any part of its website and blamed a third-party vendor.
"Despite early media reports, Equifax can confirm that its systems were not compromised and that the reported issue did not affect out consumer online dispute portal," the company said in a statement.
"The issue involves a third-party vendor that Equifax uses to collect website performance data. That vendor's code running on an Equifax website was serving malicious content.
"Since we learned of the issue, the vendor's code was removed from the Web page, and we have taken the Web page offline to conduct further analysis."