MAL-2026-6455

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-ccc/MAL-2026-6455.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6455
Published
2026-06-25T07:26:24Z
Modified
2026-06-25T08:01:26.855151072Z
Summary
Malicious code in simple-node-calc-ccc (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a)

Package name 'simple-node-calc-ccc' presents as a trivial calculator but ships lodash-compiler.js, an 87KB obfuscator.io-packed file using rotating string-array decoding (_0xNNNN identifiers, _0x2f6e rotation table). The decoded payload calls require('fs')['writeFileS'+'ync']('poc.txt', 'Security P...OC.'). The package also ships a non-standard config.gypi (line 9) containing "action": ["node", "lodash-compiler.js"]. config.gypi is normally generated locally by node-gyp configure and is not shipped with packages; shipping a hand-crafted config.gypi with a custom action that invokes an obfuscated sibling script is a covert mechanism to execute the obfuscated file whenever any downstream tool runs node-gyp in the package directory. While the present payload only writes a marker file ('Security POC'), the technique itself ships arbitrary obfuscated code execution to any installer who triggers a node-gyp build in this tree, and the obfuscation has no legitimate purpose for a calculator package.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a",
            "import_time": "2026-06-25T07:47:52.451086672Z",
            "modified_time": "2026-06-25T07:26:24Z",
            "id": "IN-MAL-2026-007502",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / simple-node-calc-ccc

Package

Name
simple-node-calc-ccc
View open source insights on deps.dev
Purl
pkg:npm/simple-node-calc-ccc

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "simple-node-calc-ccc-1.0.0.tgz",
            "hashes": {
                "sha1": "27fe9bc0de04c44e35ae9456e640d95992b6f961",
                "sha512_sri": "sha512-4tmG+mR/qW+9AqPqYobMscLJfwLEeNqeWX3IzjYoTZ0H6emmnDmpNqfaG2vpnrBO4N5X70Jz19CCzsXxpw/Gog=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "7c835f4462c0b5862f836b7a720fb0d6f0ab08dd76940c56e511fc91f4baf26e9f5a34",
            "sha256": "76ea9a26b2d83007306f2b6d258877119efbaf42b2b90c6aebfd88b58dd4c753",
            "path": "lodash-compiler.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-ccc/MAL-2026-6455.json"