simple-node-calc-ccc @1.0.0
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 10:42 AM UTC
OSV ID
MAL-2026-6455
Ecosystem
npm
Summary
Package name 'simple-node-calc-ccc' presents as a trivial calculator but ships lodash-compiler.js, an 87KB obfuscator.io-packed file using rotating string-array decoding (_0xNNNN identifiers, _0x2f6e rotation table). The decoded payload calls require('fs')['writeFileS'+'ync']('poc.txt', 'Security P...OC.') . The package also ships a non-standard config.gypi (line 9) containing "action": ["node", "lodash-compiler.js"] . config.gypi is normally generated locally by node-gyp configure and is not shipped with packages; shipping a hand-crafted config.gypi with a custom action that invokes an obfuscated sibling script is a covert mechanism to execute the obfuscated file whenever any downstream tool runs node-gyp in the package directory. While the present payload only writes a marker file ('Security POC'), the technique itself ships arbitrary obfuscated code execution to any installer who triggers a node-gyp build in this tree, and the obfuscation has no legitimate purpose for a calculator package.
Source: amazon-inspector (f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.