MAL-2026-6455

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f9bfe35484999f40374a6dcfea11247cf3407a3177e27506c714407b9384036a) Package name 'simple-node-calc-ccc' presents as a trivial calculator but ships lodash-compiler.js, an 87KB obfuscator.io-packed file using rotating string-array decoding (_0xNNNN identifiers, `_0x2f6e` rotation table). The decoded payload calls `require('fs')['writeFileS'+'ync']('poc.txt', 'Security P...OC.')`. The package also ships a non-standard `config.gypi` (line 9) containing `"action": ["node", "lodash-compiler.js"]`. config.gypi is normally generated locally by `node-gyp configure` and is not shipped with packages; shipping a hand-crafted config.gypi with a custom action that invokes an obfuscated sibling script is a covert mechanism to execute the obfuscated file whenever any downstream tool runs node-gyp in the package directory. While the present payload only writes a marker file ('Security POC'), the technique itself ships arbitrary obfuscated code execution to any installer who triggers a node-gyp build in this tree, and the obfuscation has no legitimate purpose for a calculator package.