-= Per source details. Do not edit below this line.=-
simple-node-calc-b@1.0.0 ships a binding.gyp that includes a modules file declaring "lodash": "<!(node lodash-compiler.js)". The gyp <!(...) syntax executes shell commands at parse time, and npm auto-invokes node-gyp on any package containing binding.gyp during npm install, so node lodash-compiler.js runs automatically on every install with no user opt-in. lodash-compiler.js is an 87KB obfuscator.io-style packed script (524-entry rotated string array _0x2f6e, decoder wrapper, control-flow flattening switch/case dispatcher, hex variable names) reachable through this auto-execution path. The script body contains require('fs').writeFileSync(...) along with string-array fragments 'poc.txt', 'Security P', 'OC.', 'writeFileS', 'ync' — self-describing as a proof-of-concept payload. The package name advertises a calculator; there is no legitimate reason for a calculator to ship 87KB of obfuscated code behind a hidden gyp shell-expansion. The combination of auto-execution on default install, heavy obfuscation, purpose mismatch, and self-described POC payload matches the canonical install-time RCE pattern.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007504",
"sha256": "78b115418f82ef73f995f3bf6b0cb8bf50da516b56c691b76ccb939491d2b046",
"import_time": "2026-06-25T07:47:52.592550585Z",
"modified_time": "2026-06-25T07:26:28Z",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "simple-node-calc-b-1.0.0.tgz",
"hashes": {
"sha1": "4cb65c152390fe9c0e149536f8c5626066091cbd",
"sha512_sri": "sha512-UviaptCpzXDml9nJlCSTlN4/JPGEkbxAPaII5Ih7uZZL5vBI9LoZLg6N3ARRgNREBtmD7V+3x4RQjs73Tuj5yg=="
}
}
],
"evidence_files": [
{
"tlsh": "e7900210c23d0c5616d87a20a0d8c1434a9418f151961d0466de31885f1507607a7189",
"sha256": "91f3027c9adafda2f5471bb912ec9ded8b390fcbb24e8de3d757b4cb231e2ce2",
"path": "binding.gyp"
},
{
"tlsh": "7c835f4462c0b5862f836b7a720fb0d6f0ab08dd76940c56e511fc91f4baf26e9f5a34",
"sha256": "76ea9a26b2d83007306f2b6d258877119efbaf42b2b90c6aebfd88b58dd4c753",
"path": "lodash-compiler.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-b/MAL-2026-6453.json"