MAL-2026-6452

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-aa/MAL-2026-6452.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6452
Published
2026-06-25T07:26:27Z
Modified
2026-06-25T08:01:26.624669075Z
Summary
Malicious code in simple-node-calc-aa (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7274769c1f72a3c00ec34290bd2e0dff85b9c41d6a85cfffc1b164b46280de72)

Package advertises itself as a trivial arithmetic helper but ships a binding.gyp whose sources list uses gyp's <!(...) shell expansion: "<!(node lodash-compiler.js && echo stub.c)". Because binding.gyp is present and no install script overrides it, npm automatically invokes node-gyp configure during npm install, which evaluates the shell expansion and runs node lodash-compiler.js on the installer's machine in the package's working directory. lodash-compiler.js is an 87KB obfuscator.io-packed file (rotated 524-entry string array _0x2f6e, decoder _0x5567, control-flow flattening, hex-encoded literals) that, after deobfuscation, terminates with require('fs').writeFileSync('poc.txt','Security POC.') — demonstrating arbitrary filesystem write at install time. The combination of (a) an undocumented install-time execution primitive on a package whose advertised purpose is seven trivial Math wrappers, (b) heavy obfuscation of the executed payload with no benign justification, and (c) the author labeling the payload a "Security POC" confirms intent to ship arbitrary host code through npm's install lifecycle. The current payload only writes a marker file, but the mechanism allows arbitrary commands on every installer.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-25T07:26:27Z",
            "id": "IN-MAL-2026-007503",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-25T07:47:52.548133077Z",
            "source": "amazon-inspector",
            "sha256": "7274769c1f72a3c00ec34290bd2e0dff85b9c41d6a85cfffc1b164b46280de72"
        }
    ]
}
References
Credits

Affected packages

npm / simple-node-calc-aa

Package

Name
simple-node-calc-aa
View open source insights on deps.dev
Purl
pkg:npm/simple-node-calc-aa

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-aa/MAL-2026-6452.json"
indicators
{
    "evidence_files": [
        {
            "tlsh": "eec08c3cda2c4d5026c6156cc36ac543ec20c293c88a6d44b68d15bc8f651072c6d5ee",
            "path": "binding.gyp",
            "sha256": "65909a4a51885d65e952c363a079f27e8ea7730f7dde834241532c9b9b6940e4"
        },
        {
            "tlsh": "7c835f4462c0b5862f836b7a720fb0d6f0ab08dd76940c56e511fc91f4baf26e9f5a34",
            "path": "lodash-compiler.js",
            "sha256": "76ea9a26b2d83007306f2b6d258877119efbaf42b2b90c6aebfd88b58dd4c753"
        }
    ],
    "package_integrity": [
        {
            "filename": "simple-node-calc-aa-1.0.0.tgz",
            "hashes": {
                "sha1": "dae4c2be4f68592f2fa26c5478cb02be9552326d",
                "sha512_sri": "sha512-kIkYoNCDVXR1O/39F67F7Q9zRkU+iLxQCmttnOcrupgcJZMVNZbceCNcDhpUHr0VwGAd3ZT95g8061ttzEPzMQ=="
            }
        }
    ]
}