Add report for hardhat-dotenv

Signed-off-by: poppysec <[email protected]>
ossf · Jan 9, 2025 · 8b976dd · 8b976dd
1 parent 4f8965e
commit 8b976dd
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/osv/malicious/npm/hardhat-dotenv/MAL-0000-hardhat-dotenv.json b/osv/malicious/npm/hardhat-dotenv/MAL-0000-hardhat-dotenv.json
@@ -0,0 +1,29 @@
+{
+    "modified": "2025-01-09T17:22:47.785671Z",
+    "published": "2025-01-09T17:22:47.785671Z",
+    "schema_version": "1.5.0",
+    "id": "",
+    "summary": "Malicious code in hardhat-dotenv (npm)",
+    "details": "The package contains code to exfiltrate environment variables to an attacker-controlled server.",
+    "affected": [
+        {
+            "package": {
+                "ecosystem": "npm",
+                "name": "hardhat-dotenv"
+            },
+            "versions": [
+                "16.4.8",
+                "16.4.7"
+            ]
+        }
+    ],
+    "credits": [
+        {
+            "name": "Stacklok Insight: insight.stacklok.com",
+            "type": "FINDER",
+            "contact": [
+                "https://discord.com/invite/RkzVuTp3WK"
+            ]
+        }
+    ]
+}