-= Per source details. Do not edit below this line.=-
Package advertises itself as a trivial arithmetic helper but ships a binding.gyp whose sources list uses gyp's <!(...) shell expansion: "<!(node lodash-compiler.js && echo stub.c)". Because binding.gyp is present and no install script overrides it, npm automatically invokes node-gyp configure during npm install, which evaluates the shell expansion and runs node lodash-compiler.js on the installer's machine in the package's working directory. lodash-compiler.js is an 87KB obfuscator.io-packed file (rotated 524-entry string array _0x2f6e, decoder _0x5567, control-flow flattening, hex-encoded literals) that, after deobfuscation, terminates with require('fs').writeFileSync('poc.txt','Security POC.') — demonstrating arbitrary filesystem write at install time. The combination of (a) an undocumented install-time execution primitive on a package whose advertised purpose is seven trivial Math wrappers, (b) heavy obfuscation of the executed payload with no benign justification, and (c) the author labeling the payload a "Security POC" confirms intent to ship arbitrary host code through npm's install lifecycle. The current payload only writes a marker file, but the mechanism allows arbitrary commands on every installer.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-25T07:26:27Z",
"id": "IN-MAL-2026-007503",
"versions": [
"1.0.0"
],
"import_time": "2026-06-25T07:47:52.548133077Z",
"source": "amazon-inspector",
"sha256": "7274769c1f72a3c00ec34290bd2e0dff85b9c41d6a85cfffc1b164b46280de72"
}
]
}[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-aa/MAL-2026-6452.json"
{
"evidence_files": [
{
"tlsh": "eec08c3cda2c4d5026c6156cc36ac543ec20c293c88a6d44b68d15bc8f651072c6d5ee",
"path": "binding.gyp",
"sha256": "65909a4a51885d65e952c363a079f27e8ea7730f7dde834241532c9b9b6940e4"
},
{
"tlsh": "7c835f4462c0b5862f836b7a720fb0d6f0ab08dd76940c56e511fc91f4baf26e9f5a34",
"path": "lodash-compiler.js",
"sha256": "76ea9a26b2d83007306f2b6d258877119efbaf42b2b90c6aebfd88b58dd4c753"
}
],
"package_integrity": [
{
"filename": "simple-node-calc-aa-1.0.0.tgz",
"hashes": {
"sha1": "dae4c2be4f68592f2fa26c5478cb02be9552326d",
"sha512_sri": "sha512-kIkYoNCDVXR1O/39F67F7Q9zRkU+iLxQCmttnOcrupgcJZMVNZbceCNcDhpUHr0VwGAd3ZT95g8061ttzEPzMQ=="
}
}
]
}