MAL-2026-6451

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f9a86d4aeac1d4f5fc458b3058f4b13229cd2097c9d8e5cf3e4d45aa24980ad8) simple-node-calc-a@1.0.0 advertises itself as a pure-JS calculator but ships a binding.gyp that triggers node-gyp automatically during `npm install`. binding.gyp line 6 uses gyp's shell-expansion directive `"<!(node lodash-compiler.js && echo stub.c)"`, which executes the sibling file `lodash-compiler.js` in the installer's environment at configure time, before any user code runs. lodash-compiler.js is an 87 KB obfuscator.io-packed file (rotated 510-entry `_0x` string array, control-flow flattening, 2906 deobfuscation transforms) presented with a lodash custom-build banner but never declared as a dependency and never imported by index.js. The deobfuscated trailer resolves to `require('fs').writeFileSync('poc.txt', 'POC...')`, writing a file into the installer's current working directory outside the package's own folder. The combination — undocumented native-build hook in a package with no native code, heavily obfuscated payload reachable only via that hook, and a write to the installer's CWD — is a working install-time arbitrary-code-execution primitive. Today's payload drops a PoC marker file; the same channel can deliver any code the author chooses on subsequent versions.