npm · Malicious package advisory
Malwaresimple-node-calc-aa
MAL-2026-6452
Malicious code in simple-node-calc-aa (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7274769c1f72a3c00ec34290bd2e0dff85b9c41d6a85cfffc1b164b46280de72)
Package advertises itself as a trivial arithmetic helper but ships a binding.gyp whose `sources` list uses gyp's `<!(...)` shell expansion: `"<!(node lodash-compiler.js && echo stub.c)"`. Because binding.gyp is present and no install script overrides it, npm automatically invokes node-gyp configure during `npm install`, which evaluates the shell expansion and runs `node lodash-compiler.js` on the installer's machine in the package's working directory. lodash-compiler.js is an 87KB obfuscator.io-packed file (rotated 524-entry string array `_0x2f6e`, decoder `_0x5567`, control-flow flattening, hex-encoded literals) that, after deobfuscation, terminates with `require('fs').writeFileSync('poc.txt','Security POC.')` — demonstrating arbitrary filesystem write at install time. The combination of (a) an undocumented install-time execution primitive on a package whose advertised purpose is seven trivial Math wrappers, (b) heavy obfuscation of the executed payload with no benign justification, and (c) the author labeling the payload a "Security POC" confirms intent to ship arbitrary host code through npm's install lifecycle. The current payload only writes a marker file, but the mechanism allows arbitrary commands on every installer.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.