-= Per source details. Do not edit below this line.=-
Package name 'simple-node-calc-ccc' presents as a trivial calculator but ships lodash-compiler.js, an 87KB obfuscator.io-packed file using rotating string-array decoding (_0xNNNN identifiers, _0x2f6e rotation table). The decoded payload calls require('fs')['writeFileS'+'ync']('poc.txt', 'Security P...OC.'). The package also ships a non-standard config.gypi (line 9) containing "action": ["node", "lodash-compiler.js"]. config.gypi is normally generated locally by node-gyp configure and is not shipped with packages; shipping a hand-crafted config.gypi with a custom action that invokes an obfuscated sibling script is a covert mechanism to execute the obfuscated file whenever any downstream tool runs node-gyp in the package directory. While the present payload only writes a marker file ('Security POC'), the technique itself ships arbitrary obfuscated code execution to any installer who triggers a node-gyp build in this tree, and the obfuscation has no legitimate purpose for a calculator package.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"sha256": "f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a",
"import_time": "2026-06-25T07:47:52.451086672Z",
"modified_time": "2026-06-25T07:26:24Z",
"id": "IN-MAL-2026-007502",
"source": "amazon-inspector"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "simple-node-calc-ccc-1.0.0.tgz",
"hashes": {
"sha1": "27fe9bc0de04c44e35ae9456e640d95992b6f961",
"sha512_sri": "sha512-4tmG+mR/qW+9AqPqYobMscLJfwLEeNqeWX3IzjYoTZ0H6emmnDmpNqfaG2vpnrBO4N5X70Jz19CCzsXxpw/Gog=="
}
}
],
"evidence_files": [
{
"tlsh": "7c835f4462c0b5862f836b7a720fb0d6f0ab08dd76940c56e511fc91f4baf26e9f5a34",
"sha256": "76ea9a26b2d83007306f2b6d258877119efbaf42b2b90c6aebfd88b58dd4c753",
"path": "lodash-compiler.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-ccc/MAL-2026-6455.json"