Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

simple-node-calc-cnpm

Malicious code in simple-node-calc-c (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6454
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall simple-node-calc-c

What this malware does

Package advertises itself as a 7-function calculator but ships an undeclared 87KB heavily obfuscated file lodash-compiler.js (obfuscator.io string-array packing with rotation and control-flow flattening) that is not referenced from index.js or package.json. The published binding.gyp declares only a benign noop target, but the tarball also ships a pre-generated build/ directory whose top-level Makefile includes lodash_action.target.mk, whose all target runs node lodash-compiler.js. When deobfuscated, the file performs a top-level require('fs').writeFileSync('poc.txt','Security POC.') — confirming arbitrary code execution via the build pipeline. The mismatch between the sanitized binding.gyp and the shipped Makefile is consistent with build-cache smuggling: a default npm install regenerates Makefiles from binding.gyp and neutralizes the payload, but npm rebuild, make invoked directly, or any node-gyp path that reuses cached build output will execute the obfuscated file. The filename impersonates lodash to evade casual review. The current payload writes a marker file, but the delivery mechanism (obfuscated, undeclared, hidden behind a sanitized gyp facade) provides the author with arbitrary code execution on rebuild paths.

Malicious versions

1 flagged
1.0.0

Indicators of compromise (SHA-256)

289de4cd84a2ac40ef42f8b449ba58e9d8900d766a0638061ef2e75092b1f1a4

Detection & response playbook

Typosquat

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for simple-node-calc-c (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging simple-node-calc-c across your stack and pipelines.

  2. If you installed it — respond

    simple-node-calc-c is a typosquat — you almost certainly intended a legitimately-named package. Remove simple-node-calc-c, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

  3. Did it already run?

    If simple-node-calc-c was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks simple-node-calc-c before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. simple-node-calc-c on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007506

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks simple-node-calc-c-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring
simple-node-calc-c (npm) malicious package — MAL-2026-6454 | O3 Security