MAL-2026-6369: Malicious code in hardhat-test-log (npm)
The hardhat-test-log npm package impersonates legitimate Hardhat gas reporter packages to deliver malicious code. It contains a dead-code gate that ensures execution of a hidden payload which spawns a detached child process. This process fetches attacker-controlled JavaScript code from a public paste service and executes it with full Node.js require access, enabling remote code execution on developer or CI machines using this package.
AI Analysis
Technical Summary
The hardhat-test-log package (versions 1.1.0 and 1.1.2) masquerades as a known Hardhat gas reporter by copying metadata and author information. Its main reporter function is a decoy; the actual code path always triggers a function that spawns a detached child process running 'lib/syncResolve.js'. This script fetches JavaScript code from a mutable public paste site and executes it dynamically with Node.js require privileges, allowing arbitrary code execution. The payload source is uncontrolled and can be changed at any time by the attacker, making this a persistent and flexible remote code execution backdoor triggered by installing or using the package in Hardhat/Mocha environments.
Potential Impact
Installing or using the affected versions of hardhat-test-log results in remote code execution on the host machine. The attacker can execute arbitrary Node.js code with full module access, potentially compromising developer or CI environments. The malicious payload is fetched dynamically from a public, mutable source, enabling ongoing attacker control and evasion of detection.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately avoid installing or using the hardhat-test-log package versions 1.1.0 and 1.1.2. Verify dependencies to ensure this malicious package is not present. Consider removing it if found. Monitor vendor advisories or trusted security sources for updates or official fixes. Since this is a malicious package impersonating legitimate tools, prefer installing only from verified and official package sources.
MAL-2026-6369: Malicious code in hardhat-test-log (npm)
Description
The hardhat-test-log npm package impersonates legitimate Hardhat gas reporter packages to deliver malicious code. It contains a dead-code gate that ensures execution of a hidden payload which spawns a detached child process. This process fetches attacker-controlled JavaScript code from a public paste service and executes it with full Node.js require access, enabling remote code execution on developer or CI machines using this package.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The hardhat-test-log package (versions 1.1.0 and 1.1.2) masquerades as a known Hardhat gas reporter by copying metadata and author information. Its main reporter function is a decoy; the actual code path always triggers a function that spawns a detached child process running 'lib/syncResolve.js'. This script fetches JavaScript code from a mutable public paste site and executes it dynamically with Node.js require privileges, allowing arbitrary code execution. The payload source is uncontrolled and can be changed at any time by the attacker, making this a persistent and flexible remote code execution backdoor triggered by installing or using the package in Hardhat/Mocha environments.
Potential Impact
Installing or using the affected versions of hardhat-test-log results in remote code execution on the host machine. The attacker can execute arbitrary Node.js code with full module access, potentially compromising developer or CI environments. The malicious payload is fetched dynamically from a public, mutable source, enabling ongoing attacker control and evasion of detection.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately avoid installing or using the hardhat-test-log package versions 1.1.0 and 1.1.2. Verify dependencies to ensure this malicious package is not present. Consider removing it if found. Monitor vendor advisories or trusted security sources for updates or official fixes. Since this is a malicious package impersonating legitimate tools, prefer installing only from verified and official package sources.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6369
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6927e9c7971993829a
Added to database: 06/29/2026, 22:10:49 UTC
Last enriched: 06/29/2026, 22:36:06 UTC
Last updated: 07/02/2026, 05:14:56 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.