MAL-2026-10103

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/optimize-regex/MAL-2026-10103.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10103
Published
2026-07-09T23:01:55Z
Modified
2026-07-09T23:47:00.720324810Z
Summary
Malicious code in optimize-regex (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9b77c2c0dab050d3a675407d74b649c73bfc107da05191cf041fb66e0346073a)

package.json declares optimize-regex as a dependency (and devDependency) of itself, resolved via a plain-HTTP tarball URL at http://pack.nppacks.com/npm/optimize-regex — a host unrelated to the package's publisher and outside the npm registry. On npm install, npm fetches and installs whatever bytes that URL currently serves as the same package name, giving the operator of pack.nppacks.com full control over the code that ends up in the installer's node_modules. The URL is unpinned (no hash, no version), served over cleartext HTTP (mutable in transit as well as at the host), and the visible index.js is a near-verbatim clone of babel-plugin-transform-define with a package name and description that do not match that functionality — a decoy while the actual payload is delivered through URL-scheme dependency resolution.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "9b77c2c0dab050d3a675407d74b649c73bfc107da05191cf041fb66e0346073a",
            "id": "IN-MAL-2026-009591",
            "import_time": "2026-07-09T23:30:55.796708279Z",
            "versions": [
                "1.2.1"
            ],
            "modified_time": "2026-07-09T23:01:55Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / optimize-regex

Package

Affected ranges

Affected versions

1.*
1.2.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "40f630bf111f7e97669e5fcdbb8a5edad0f2ab8bf94e33a8a69639833796234d",
            "tlsh": "e4f0c224ca62ea234cc825a67967010b63249a57586dfd1c73eb261c9e4c2bf31f825e",
            "path": "package.json"
        },
        {
            "sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
            "tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "optimize-regex-1.2.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-W9cXDw66Laddz5yv6FzWWwbt5p4Lfi8KxEeLBwtYJAFQOtnCGfkem1U/tQoEhXS+noVYPJY9D8+EhFJPBVlz/Q==",
                "sha1": "d3294d4258aba12920ae0e9c6398968c37848a8d"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/optimize-regex/MAL-2026-10103.json"