VYPR

npm · Malicious package advisory

Malware

simple-node-calc-ccc

MAL-2026-6455

Malicious code in simple-node-calc-ccc (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a)
Package name 'simple-node-calc-ccc' presents as a trivial calculator but ships lodash-compiler.js, an 87KB obfuscator.io-packed file using rotating string-array decoding (_0xNNNN identifiers, `_0x2f6e` rotation table). The decoded payload calls `require('fs')['writeFileS'+'ync']('poc.txt', 'Security P...OC.')`. The package also ships a non-standard `config.gypi` (line 9) containing `"action": ["node", "lodash-compiler.js"]`. config.gypi is normally generated locally by `node-gyp configure` and is not shipped with packages; shipping a hand-crafted config.gypi with a custom action that invokes an obfuscated sibling script is a covert mechanism to execute the obfuscated file whenever any downstream tool runs node-gyp in the package directory. While the present payload only writes a marker file ('Security POC'), the technique itself ships arbitrary obfuscated code execution to any installer who triggers a node-gyp build in this tree, and the obfuscation has no legitimate purpose for a calculator package.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.