-= Per source details. Do not edit below this line.=-
The package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user's config), it spawns a detached Node child (spawn(process.execPath, ['-e', code], {detached:true, stdio:'ignore', windowsHide:true})) that runs a base64-decoded command to silently npm install driftpin --no-save --silent --no-audit --no-fund, then require('driftpin') and invoke getPlugin()(), executing attacker-controlled code in the installer's Node process. Both the shell command and the module name 'driftpin' are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.
{
"malicious-packages-origins": [
{
"versions": [
"0.4.7"
],
"sha256": "180936274762437e2311a83f716cbbf9fcaaaef8e194b950bfa28192bfb44bf8",
"modified_time": "2026-07-01T18:42:56Z",
"source": "amazon-inspector",
"import_time": "2026-07-01T19:11:25.632444026Z",
"id": "IN-MAL-2026-007865"
},
{
"versions": [
"0.4.10"
],
"sha256": "2852e841d953072a439342e58a63f91a6f4047c122d337ad57bc4f4adad45f81",
"source": "amazon-inspector",
"modified_time": "2026-07-01T18:42:38Z",
"id": "IN-MAL-2026-007863",
"import_time": "2026-07-01T19:11:25.404233578Z"
},
{
"versions": [
"0.4.12"
],
"sha256": "3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1",
"modified_time": "2026-07-01T18:41:35Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007856",
"import_time": "2026-07-01T19:11:24.475165466Z"
},
{
"versions": [
"0.4.11"
],
"sha256": "51a9a1265ba62d0c900be1a70b6fb28386f2e25cc3e31855fc5b3f58530cae47",
"modified_time": "2026-07-01T18:42:18Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007861",
"import_time": "2026-07-01T19:11:25.142169343Z"
},
{
"versions": [
"0.4.8"
],
"sha256": "70318ad0a21e7e2e412adfb362788a771ff49831a01481de94c60d7903634f36",
"modified_time": "2026-07-01T18:42:46Z",
"source": "amazon-inspector",
"import_time": "2026-07-01T19:11:25.528163378Z",
"id": "IN-MAL-2026-007864"
},
{
"versions": [
"0.4.6"
],
"sha256": "95bb3eefd23fcfaf7a9da242c86085f6b7d1cda8344a82a8219789beefe60c12",
"modified_time": "2026-07-01T18:43:07Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007866",
"import_time": "2026-07-01T19:11:25.775808651Z"
},
{
"versions": [
"0.4.5"
],
"sha256": "a1d54b1992fb2f6fa590ca2b76dd65574a18a0659f43294aa2fdf0588abe4062",
"modified_time": "2026-07-01T18:43:43Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007870",
"import_time": "2026-07-01T19:11:26.226038725Z"
},
{
"versions": [
"0.4.4"
],
"sha256": "d572224fcf90c82c0626008128d7a1fd790e480ec4c3b4fa5292eeb3d610bf81",
"modified_time": "2026-07-01T18:43:34Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007869",
"import_time": "2026-07-01T19:11:26.129866344Z"
},
{
"versions": [
"0.4.2"
],
"sha256": "dee0fafd7c2ba309f9b3b1ae8f7e4d54c9d82c630bdbaa176044b9e054cf08c9",
"source": "amazon-inspector",
"modified_time": "2026-07-01T18:43:17Z",
"id": "IN-MAL-2026-007867",
"import_time": "2026-07-01T19:11:25.903639151Z"
},
{
"versions": [
"0.4.0"
],
"sha256": "55a890434cfd92fb846ba508acebf110f286a083dc029651ebecb781528e6f39",
"modified_time": "2026-07-01T18:43:59Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007872",
"import_time": "2026-07-01T19:11:26.500370955Z"
},
{
"versions": [
"0.4.3"
],
"sha256": "845a969efc54f4b45826b4bd051aa1adea7c2a983ce97e0665e0c7107f4f2ce3",
"modified_time": "2026-07-01T18:43:25Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007868",
"import_time": "2026-07-01T19:11:26.029254479Z"
},
{
"versions": [
"0.0.1"
],
"sha256": "c807ea26446e2a048c154c7a3c035c22db3c42ceede57a307195256a3f11e540",
"modified_time": "2026-07-01T18:43:50Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007871",
"import_time": "2026-07-01T19:11:26.358013817Z"
},
{
"versions": [
"0.4.9"
],
"sha256": "d1e4d2af59e7b9e792f78d9335e437080b45295155a778e9d336e23f809e325f",
"modified_time": "2026-07-01T18:42:31Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007862",
"import_time": "2026-07-01T19:11:25.289124822Z"
}
]
}{
"package_integrity": [
{
"filename": "hardhat-compile-ethers-0.4.7.tgz",
"hashes": {
"sha512_sri": "sha512-jZX1Kng+W6pbRo0AaYeOa9T9Pw2I3jfP4IS+VPjc2btcfG4qr4IH9o6J352wbyVbVrWO0XDDpb8FfJTaADBneg==",
"sha1": "e718d781b11897329c9747c5fd57a1677ea24110"
}
}
],
"evidence_files": [
{
"sha256": "7de1080e1a3fdcfcedbe49bc8d587fb856f3bfc06d8bdc1750f40228fcf45f61",
"path": "dist/src/index.js",
"tlsh": "e751e2a32797a1302b370fadcb0b1c5663a352932ad891a0f7ed95121f8218951b39c9"
},
{
"sha256": "d5cdd23b692a6e0a213c2a889a398195837f2033e748241c69dee5257beb6dd1",
"path": "package.json",
"tlsh": "41318960cc19cd2307d85595ac7a429361649a470ca6fc2c73a52bbf4f0c2af21b9abd"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-compile-ethers/MAL-2026-6705.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]