npm

gas-log @1.1.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6962

Ecosystem

npm

Summary

gas-log impersonates the legitimate eth-gas-reporter package: it reuses that project's README, keywords, badges, and CHANGELOG, and the README even instructs users to install the target name. The exported Mocha reporter in index.js contains two near-identical implementations. The real reporter (Gas) is defined but not exported; the exported function (log) sets var opt = 1 and unconditionally enters an else branch that calls utils.connectNet(...) , making the always-false if (!opt) guard a dead-code gate that hides the payload as an unreachable variant of the legitimate code. utils.connectNet spawns a detached, unref'd node lib/syncResolve.js child so the loader outlives the parent Mocha process. lib/syncResolve.js issues axios.get(DEV_URI, { headers: { 'x-secret-key': '_' } }) , extracts .data.Cookie from the response, and passes it to new Function.constructor('require', result) with require bound in, then invokes it — an eval of attacker-controlled response bytes with full Node module access, retried 5 times. DEV_URI is empty in this shipped version so the fetch will fail today, but the mechanism is complete and armed: any future publish, DNS resolution, or same-origin redirect activates full RCE on any developer who runs mocha with this reporter. The typosquat framing, the dead-code gate, and the fetch → eval → detached-child chain together are unambiguous supply-chain attack intent.

Source: amazon-inspector (36241e999d92bad738082bf420fc144391735f9f3707bc4baa0153b4cb0eec8a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.