MAL-2026-6453

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-b/MAL-2026-6453.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6453
Published
2026-06-25T07:26:28Z
Modified
2026-06-25T08:01:26.749079660Z
Summary
Malicious code in simple-node-calc-b (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (78b115418f82ef73f995f3bf6b0cb8bf50da516b56c691b76ccb939491d2b046)

simple-node-calc-b@1.0.0 ships a binding.gyp that includes a modules file declaring "lodash": "<!(node lodash-compiler.js)". The gyp <!(...) syntax executes shell commands at parse time, and npm auto-invokes node-gyp on any package containing binding.gyp during npm install, so node lodash-compiler.js runs automatically on every install with no user opt-in. lodash-compiler.js is an 87KB obfuscator.io-style packed script (524-entry rotated string array _0x2f6e, decoder wrapper, control-flow flattening switch/case dispatcher, hex variable names) reachable through this auto-execution path. The script body contains require('fs').writeFileSync(...) along with string-array fragments 'poc.txt', 'Security P', 'OC.', 'writeFileS', 'ync' — self-describing as a proof-of-concept payload. The package name advertises a calculator; there is no legitimate reason for a calculator to ship 87KB of obfuscated code behind a hidden gyp shell-expansion. The combination of auto-execution on default install, heavy obfuscation, purpose mismatch, and self-described POC payload matches the canonical install-time RCE pattern.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-007504",
            "sha256": "78b115418f82ef73f995f3bf6b0cb8bf50da516b56c691b76ccb939491d2b046",
            "import_time": "2026-06-25T07:47:52.592550585Z",
            "modified_time": "2026-06-25T07:26:28Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / simple-node-calc-b

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "simple-node-calc-b-1.0.0.tgz",
            "hashes": {
                "sha1": "4cb65c152390fe9c0e149536f8c5626066091cbd",
                "sha512_sri": "sha512-UviaptCpzXDml9nJlCSTlN4/JPGEkbxAPaII5Ih7uZZL5vBI9LoZLg6N3ARRgNREBtmD7V+3x4RQjs73Tuj5yg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "e7900210c23d0c5616d87a20a0d8c1434a9418f151961d0466de31885f1507607a7189",
            "sha256": "91f3027c9adafda2f5471bb912ec9ded8b390fcbb24e8de3d757b4cb231e2ce2",
            "path": "binding.gyp"
        },
        {
            "tlsh": "7c835f4462c0b5862f836b7a720fb0d6f0ab08dd76940c56e511fc91f4baf26e9f5a34",
            "sha256": "76ea9a26b2d83007306f2b6d258877119efbaf42b2b90c6aebfd88b58dd4c753",
            "path": "lodash-compiler.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-b/MAL-2026-6453.json"