-= Per source details. Do not edit below this line.=-
package.json declares both a dependency and a devDependency on 'transform-es2015-sticky-regex' pointing at http://pack.nppacks.com/npm/transform-es2015-sticky-regex. On npm install, npm fetches whatever tarball that plain-HTTP, non-registry host currently serves and installs it into node_modules with no version pin and no integrity hash — the maintainer of pack.nppacks.com can substitute arbitrary code at any time and it will land in the installer's dependency tree on the next install. The package name is also a namespace-confusion of the well-known 'babel-plugin-transform-es2015-sticky-regex' (Babel plugin naming convention prefixes 'babel-plugin-'); the shipped index.js does not implement the sticky-regex transform but a DefinePlugin-style identifier replacer, and a source comment states the package is 'for Security Research Testing Purpose'. Additional network-capable dependencies (axios, node-fetch, ws) are declared but unused by the shipped code, pre-staging network primitives for whatever the swapped tarball chooses to import.
{
"malicious-packages-origins": [
{
"sha256": "eadf76ef8e123f9ce50c2910c71912996a3d079a91076ffed8d29830a1687ae1",
"id": "IN-MAL-2026-009622",
"modified_time": "2026-07-10T15:39:56Z",
"versions": [
"6.24.3"
],
"import_time": "2026-07-10T16:19:42.174843647Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "7101d604ce25ad6348c56195a9e60e17d659da8b08e9bd8c33db179d0b4c0bf30f423a",
"sha256": "39b0ee92ac659176907527f02d21850b7fc2a9e53dd08fc77a35fe1196f62a27",
"path": "package.json"
},
{
"sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
"tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "transform-es2015-sticky-regex-6.24.3.tgz",
"hashes": {
"sha512_sri": "sha512-iXD+7MQC15SwqF+5ipjzGi3p4NE+JuAv3Lc+I8Yez6tjkXisxN73Fo0w5KVyZ09Gli1ePRY0TQIBoqlMyAKLrQ==",
"sha1": "7ed38f2193f8510ea360731916240600b991357d"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/transform-es2015-sticky-regex/MAL-2026-10136.json"