MAL-2026-6451

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-a/MAL-2026-6451.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6451
Published
2026-06-25T07:26:28Z
Modified
2026-06-25T08:01:26.575805711Z
Summary
Malicious code in simple-node-calc-a (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f9a86d4aeac1d4f5fc458b3058f4b13229cd2097c9d8e5cf3e4d45aa24980ad8)

simple-node-calc-a@1.0.0 advertises itself as a pure-JS calculator but ships a binding.gyp that triggers node-gyp automatically during npm install. binding.gyp line 6 uses gyp's shell-expansion directive "<!(node lodash-compiler.js && echo stub.c)", which executes the sibling file lodash-compiler.js in the installer's environment at configure time, before any user code runs. lodash-compiler.js is an 87 KB obfuscator.io-packed file (rotated 510-entry _0x string array, control-flow flattening, 2906 deobfuscation transforms) presented with a lodash custom-build banner but never declared as a dependency and never imported by index.js. The deobfuscated trailer resolves to require('fs').writeFileSync('poc.txt', 'POC...'), writing a file into the installer's current working directory outside the package's own folder. The combination — undocumented native-build hook in a package with no native code, heavily obfuscated payload reachable only via that hook, and a write to the installer's CWD — is a working install-time arbitrary-code-execution primitive. Today's payload drops a PoC marker file; the same channel can deliver any code the author chooses on subsequent versions.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "f9a86d4aeac1d4f5fc458b3058f4b13229cd2097c9d8e5cf3e4d45aa24980ad8",
            "import_time": "2026-06-25T07:47:52.631452343Z",
            "modified_time": "2026-06-25T07:26:28Z",
            "id": "IN-MAL-2026-007505",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / simple-node-calc-a

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "simple-node-calc-a-1.0.0.tgz",
            "hashes": {
                "sha1": "f7a8413fe217a2465f5c9d1ada0f9d2df6eb20c6",
                "sha512_sri": "sha512-N2hKHxlwW9phs0IbAonvjaVUzUz9Zzc2XXbUj4ioQk289SPotssG9V5zYpTDkMDRET2Ot7RAF9KFgbuz5wVxhw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "eec08c3cda2c4d5026c6156cc36ac543ec20c293c88a6d44b68d15bc8f651072c6d5ee",
            "sha256": "65909a4a51885d65e952c363a079f27e8ea7730f7dde834241532c9b9b6940e4",
            "path": "binding.gyp"
        },
        {
            "tlsh": "d383634866c0ecd433874f7a7baf70e5fa7e09d97584091ec51afc90a8e0a06f9e1971",
            "sha256": "f704c05585e1ab123374cbb5400aa1199829e197eb9696d6ed841539ce553147",
            "path": "lodash-compiler.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-a/MAL-2026-6451.json"