simple-node-calc-c @1.0.0

Summary

Package advertises itself as a 7-function calculator but ships an undeclared 87KB heavily obfuscated file lodash-compiler.js (obfuscator.io string-array packing with rotation and control-flow flattening) that is not referenced from index.js or package.json . The published binding.gyp declares only a benign noop target, but the tarball also ships a pre-generated build/ directory whose top-level Makefile includes lodash_action.target.mk , whose all target runs node lodash-compiler.js . When deobfuscated, the file performs a top-level require('fs').writeFileSync('poc.txt','Security POC.') — confirming arbitrary code execution via the build pipeline. The mismatch between the sanitized binding.gyp and the shipped Makefile is consistent with build-cache smuggling: a default npm install regenerates Makefiles from binding.gyp and neutralizes the payload, but npm rebuild , make invoked directly, or any node-gyp path that reuses cached build output will execute the obfuscated file. The filename impersonates lodash to evade casual review. The current payload writes a marker file, but the delivery mechanism (obfuscated, undeclared, hidden behind a sanitized gyp facade) provides the author with arbitrary code execution on rebuild paths.

Source: amazon-inspector (289de4cd84a2ac40ef42f8b449ba58e9d8900d766a0638061ef2e75092b1f1a4)