Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-6369: Malicious code in hardhat-test-log (npm)

0
Critical
Published: 06/24/2026 (06/24/2026, 04:13:05 UTC)
Source: GCVE Database
Product: hardhat-test-log

Description

The hardhat-test-log npm package impersonates legitimate Hardhat gas reporter packages to deliver malicious code. It contains a dead-code gate that ensures execution of a hidden payload which spawns a detached child process. This process fetches attacker-controlled JavaScript code from a public paste service and executes it with full Node.js require access, enabling remote code execution on developer or CI machines using this package.

Affected software

npmghsa
hardhat-test-log
Affected versions
=1.1.0=1.1.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/29/2026, 22:36:06 UTC

Technical Analysis

The hardhat-test-log package (versions 1.1.0 and 1.1.2) masquerades as a known Hardhat gas reporter by copying metadata and author information. Its main reporter function is a decoy; the actual code path always triggers a function that spawns a detached child process running 'lib/syncResolve.js'. This script fetches JavaScript code from a mutable public paste site and executes it dynamically with Node.js require privileges, allowing arbitrary code execution. The payload source is uncontrolled and can be changed at any time by the attacker, making this a persistent and flexible remote code execution backdoor triggered by installing or using the package in Hardhat/Mocha environments.

Potential Impact

Installing or using the affected versions of hardhat-test-log results in remote code execution on the host machine. The attacker can execute arbitrary Node.js code with full module access, potentially compromising developer or CI environments. The malicious payload is fetched dynamically from a public, mutable source, enabling ongoing attacker control and evasion of detection.

Mitigation Recommendations

No official patch or remediation is currently documented. Users should immediately avoid installing or using the hardhat-test-log package versions 1.1.0 and 1.1.2. Verify dependencies to ensure this malicious package is not present. Consider removing it if found. Monitor vendor advisories or trusted security sources for updates or official fixes. Since this is a malicious package impersonating legitimate tools, prefer installing only from verified and official package sources.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-6369
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a42ed6927e9c7971993829a

Added to database: 06/29/2026, 22:10:49 UTC

Last enriched: 06/29/2026, 22:36:06 UTC

Last updated: 07/02/2026, 05:14:56 UTC

Views: 6

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses