-= Per source details. Do not edit below this line.=-
simple-node-calc-a@1.0.0 advertises itself as a pure-JS calculator but ships a binding.gyp that triggers node-gyp automatically during npm install. binding.gyp line 6 uses gyp's shell-expansion directive "<!(node lodash-compiler.js && echo stub.c)", which executes the sibling file lodash-compiler.js in the installer's environment at configure time, before any user code runs. lodash-compiler.js is an 87 KB obfuscator.io-packed file (rotated 510-entry _0x string array, control-flow flattening, 2906 deobfuscation transforms) presented with a lodash custom-build banner but never declared as a dependency and never imported by index.js. The deobfuscated trailer resolves to require('fs').writeFileSync('poc.txt', 'POC...'), writing a file into the installer's current working directory outside the package's own folder. The combination — undocumented native-build hook in a package with no native code, heavily obfuscated payload reachable only via that hook, and a write to the installer's CWD — is a working install-time arbitrary-code-execution primitive. Today's payload drops a PoC marker file; the same channel can deliver any code the author chooses on subsequent versions.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"sha256": "f9a86d4aeac1d4f5fc458b3058f4b13229cd2097c9d8e5cf3e4d45aa24980ad8",
"import_time": "2026-06-25T07:47:52.631452343Z",
"modified_time": "2026-06-25T07:26:28Z",
"id": "IN-MAL-2026-007505",
"source": "amazon-inspector"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "simple-node-calc-a-1.0.0.tgz",
"hashes": {
"sha1": "f7a8413fe217a2465f5c9d1ada0f9d2df6eb20c6",
"sha512_sri": "sha512-N2hKHxlwW9phs0IbAonvjaVUzUz9Zzc2XXbUj4ioQk289SPotssG9V5zYpTDkMDRET2Ot7RAF9KFgbuz5wVxhw=="
}
}
],
"evidence_files": [
{
"tlsh": "eec08c3cda2c4d5026c6156cc36ac543ec20c293c88a6d44b68d15bc8f651072c6d5ee",
"sha256": "65909a4a51885d65e952c363a079f27e8ea7730f7dde834241532c9b9b6940e4",
"path": "binding.gyp"
},
{
"tlsh": "d383634866c0ecd433874f7a7baf70e5fa7e09d97584091ec51afc90a8e0a06f9e1971",
"sha256": "f704c05585e1ab123374cbb5400aa1199829e197eb9696d6ed841539ce553147",
"path": "lodash-compiler.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-a/MAL-2026-6451.json"