MAL-2026-6453

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (78b115418f82ef73f995f3bf6b0cb8bf50da516b56c691b76ccb939491d2b046) simple-node-calc-b@1.0.0 ships a binding.gyp that includes a `modules` file declaring `"lodash": "<!(node lodash-compiler.js)"`. The gyp `<!(...)` syntax executes shell commands at parse time, and npm auto-invokes node-gyp on any package containing binding.gyp during `npm install`, so `node lodash-compiler.js` runs automatically on every install with no user opt-in. lodash-compiler.js is an 87KB obfuscator.io-style packed script (524-entry rotated string array `_0x2f6e`, decoder wrapper, control-flow flattening switch/case dispatcher, hex variable names) reachable through this auto-execution path. The script body contains `require('fs').writeFileSync(...)` along with string-array fragments `'poc.txt'`, `'Security P'`, `'OC.'`, `'writeFileS'`, `'ync'` — self-describing as a proof-of-concept payload. The package name advertises a calculator; there is no legitimate reason for a calculator to ship 87KB of obfuscated code behind a hidden gyp shell-expansion. The combination of auto-execution on default install, heavy obfuscation, purpose mismatch, and self-described POC payload matches the canonical install-time RCE pattern.