VYPR

npm · Malicious package advisory

Malware

simple-node-calc-aa

MAL-2026-6452

Malicious code in simple-node-calc-aa (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7274769c1f72a3c00ec34290bd2e0dff85b9c41d6a85cfffc1b164b46280de72)
Package advertises itself as a trivial arithmetic helper but ships a binding.gyp whose `sources` list uses gyp's `<!(...)` shell expansion: `"<!(node lodash-compiler.js && echo stub.c)"`. Because binding.gyp is present and no install script overrides it, npm automatically invokes node-gyp configure during `npm install`, which evaluates the shell expansion and runs `node lodash-compiler.js` on the installer's machine in the package's working directory. lodash-compiler.js is an 87KB obfuscator.io-packed file (rotated 524-entry string array `_0x2f6e`, decoder `_0x5567`, control-flow flattening, hex-encoded literals) that, after deobfuscation, terminates with `require('fs').writeFileSync('poc.txt','Security POC.')` — demonstrating arbitrary filesystem write at install time. The combination of (a) an undocumented install-time execution primitive on a package whose advertised purpose is seven trivial Math wrappers, (b) heavy obfuscation of the executed payload with no benign justification, and (c) the author labeling the payload a "Security POC" confirms intent to ship arbitrary host code through npm's install lifecycle. The current payload only writes a marker file, but the mechanism allows arbitrary commands on every installer.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.