simple-node-calc-a @1.0.0

Summary

simple-node-calc-a@1.0.0 advertises itself as a pure-JS calculator but ships a binding.gyp that triggers node-gyp automatically during npm install . binding.gyp line 6 uses gyp's shell-expansion directive "<!(node lodash-compiler.js && echo stub.c)" , which executes the sibling file lodash-compiler.js in the installer's environment at configure time, before any user code runs. lodash-compiler.js is an 87 KB obfuscator.io-packed file (rotated 510-entry _0x string array, control-flow flattening, 2906 deobfuscation transforms) presented with a lodash custom-build banner but never declared as a dependency and never imported by index.js. The deobfuscated trailer resolves to require('fs').writeFileSync('poc.txt', 'POC...') , writing a file into the installer's current working directory outside the package's own folder. The combination — undocumented native-build hook in a package with no native code, heavily obfuscated payload reachable only via that hook, and a write to the installer's CWD — is a working install-time arbitrary-code-execution primitive. Today's payload drops a PoC marker file; the same channel can deliver any code the author chooses on subsequent versions.

Source: amazon-inspector (f9a86d4aeac1d4f5fc458b3058f4b13229cd2097c9d8e5cf3e4d45aa24980ad8)