simple-node-calc-aa @1.0.0

Summary

Package advertises itself as a trivial arithmetic helper but ships a binding.gyp whose sources list uses gyp's <!(...) shell expansion: "<!(node lodash-compiler.js && echo stub.c)" . Because binding.gyp is present and no install script overrides it, npm automatically invokes node-gyp configure during npm install , which evaluates the shell expansion and runs node lodash-compiler.js on the installer's machine in the package's working directory. lodash-compiler.js is an 87KB obfuscator.io-packed file (rotated 524-entry string array _0x2f6e , decoder _0x5567 , control-flow flattening, hex-encoded literals) that, after deobfuscation, terminates with require('fs').writeFileSync('poc.txt','Security POC.') — demonstrating arbitrary filesystem write at install time. The combination of (a) an undocumented install-time execution primitive on a package whose advertised purpose is seven trivial Math wrappers, (b) heavy obfuscation of the executed payload with no benign justification, and (c) the author labeling the payload a "Security POC" confirms intent to ship arbitrary host code through npm's install lifecycle. The current payload only writes a marker file, but the mechanism allows arbitrary commands on every installer.

Source: amazon-inspector (7274769c1f72a3c00ec34290bd2e0dff85b9c41d6a85cfffc1b164b46280de72)