MAL-2026-6454

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (289de4cd84a2ac40ef42f8b449ba58e9d8900d766a0638061ef2e75092b1f1a4) Package advertises itself as a 7-function calculator but ships an undeclared 87KB heavily obfuscated file `lodash-compiler.js` (obfuscator.io string-array packing with rotation and control-flow flattening) that is not referenced from `index.js` or `package.json`. The published `binding.gyp` declares only a benign `noop` target, but the tarball also ships a pre-generated `build/` directory whose top-level Makefile includes `lodash_action.target.mk`, whose `all` target runs `node lodash-compiler.js`. When deobfuscated, the file performs a top-level `require('fs').writeFileSync('poc.txt','Security POC.')` — confirming arbitrary code execution via the build pipeline. The mismatch between the sanitized `binding.gyp` and the shipped Makefile is consistent with build-cache smuggling: a default `npm install` regenerates Makefiles from `binding.gyp` and neutralizes the payload, but `npm rebuild`, `make` invoked directly, or any node-gyp path that reuses cached build output will execute the obfuscated file. The filename impersonates lodash to evade casual review. The current payload writes a marker file, but the delivery mechanism (obfuscated, undeclared, hidden behind a sanitized gyp facade) provides the author with arbitrary code execution on rebuild paths.