simple-node-calc-b @1.0.0

Summary

simple-node-calc-b@1.0.0 ships a binding.gyp that includes a modules file declaring "lodash": "<!(node lodash-compiler.js)" . The gyp <!(...) syntax executes shell commands at parse time, and npm auto-invokes node-gyp on any package containing binding.gyp during npm install , so node lodash-compiler.js runs automatically on every install with no user opt-in. lodash-compiler.js is an 87KB obfuscator.io-style packed script (524-entry rotated string array _0x2f6e , decoder wrapper, control-flow flattening switch/case dispatcher, hex variable names) reachable through this auto-execution path. The script body contains require('fs').writeFileSync(...) along with string-array fragments 'poc.txt' , 'Security P' , 'OC.' , 'writeFileS' , 'ync' — self-describing as a proof-of-concept payload. The package name advertises a calculator; there is no legitimate reason for a calculator to ship 87KB of obfuscated code behind a hidden gyp shell-expansion. The combination of auto-execution on default install, heavy obfuscation, purpose mismatch, and self-described POC payload matches the canonical install-time RCE pattern.

Source: amazon-inspector (78b115418f82ef73f995f3bf6b0cb8bf50da516b56c691b76ccb939491d2b046)