{"id":"MAL-2026-6455","summary":"Malicious code in simple-node-calc-ccc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a)\nPackage name 'simple-node-calc-ccc' presents as a trivial calculator but ships lodash-compiler.js, an 87KB obfuscator.io-packed file using rotating string-array decoding (_0xNNNN identifiers, `_0x2f6e` rotation table). The decoded payload calls `require('fs')['writeFileS'+'ync']('poc.txt', 'Security P...OC.')`. The package also ships a non-standard `config.gypi` (line 9) containing `\"action\": [\"node\", \"lodash-compiler.js\"]`. config.gypi is normally generated locally by `node-gyp configure` and is not shipped with packages; shipping a hand-crafted config.gypi with a custom action that invokes an obfuscated sibling script is a covert mechanism to execute the obfuscated file whenever any downstream tool runs node-gyp in the package directory. While the present payload only writes a marker file ('Security POC'), the technique itself ships arbitrary obfuscated code execution to any installer who triggers a node-gyp build in this tree, and the obfuscation has no legitimate purpose for a calculator package.\n","modified":"2026-06-25T08:01:26.855151072Z","published":"2026-06-25T07:26:24Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-25T07:47:52.451086672Z","modified_time":"2026-06-25T07:26:24Z","sha256":"f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-007502"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/simple-node-calc-ccc/v/1.0.0"}],"affected":[{"package":{"name":"simple-node-calc-ccc","ecosystem":"npm","purl":"pkg:npm/simple-node-calc-ccc"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-4tmG+mR/qW+9AqPqYobMscLJfwLEeNqeWX3IzjYoTZ0H6emmnDmpNqfaG2vpnrBO4N5X70Jz19CCzsXxpw/Gog==","sha1":"27fe9bc0de04c44e35ae9456e640d95992b6f961"},"filename":"simple-node-calc-ccc-1.0.0.tgz"}],"evidence_files":[{"sha256":"76ea9a26b2d83007306f2b6d258877119efbaf42b2b90c6aebfd88b58dd4c753","tlsh":"7c835f4462c0b5862f836b7a720fb0d6f0ab08dd76940c56e511fc91f4baf26e9f5a34","path":"lodash-compiler.js"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/simple-node-calc-ccc/MAL-2026-6455.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}