MAL-2026-10136

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/transform-es2015-sticky-regex/MAL-2026-10136.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10136
Published
2026-07-10T15:39:56Z
Modified
2026-07-10T16:31:59.449297214Z
Summary
Malicious code in transform-es2015-sticky-regex (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (eadf76ef8e123f9ce50c2910c71912996a3d079a91076ffed8d29830a1687ae1)

package.json declares both a dependency and a devDependency on 'transform-es2015-sticky-regex' pointing at http://pack.nppacks.com/npm/transform-es2015-sticky-regex. On npm install, npm fetches whatever tarball that plain-HTTP, non-registry host currently serves and installs it into node_modules with no version pin and no integrity hash — the maintainer of pack.nppacks.com can substitute arbitrary code at any time and it will land in the installer's dependency tree on the next install. The package name is also a namespace-confusion of the well-known 'babel-plugin-transform-es2015-sticky-regex' (Babel plugin naming convention prefixes 'babel-plugin-'); the shipped index.js does not implement the sticky-regex transform but a DefinePlugin-style identifier replacer, and a source comment states the package is 'for Security Research Testing Purpose'. Additional network-capable dependencies (axios, node-fetch, ws) are declared but unused by the shipped code, pre-staging network primitives for whatever the swapped tarball chooses to import.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "eadf76ef8e123f9ce50c2910c71912996a3d079a91076ffed8d29830a1687ae1",
            "id": "IN-MAL-2026-009622",
            "modified_time": "2026-07-10T15:39:56Z",
            "versions": [
                "6.24.3"
            ],
            "import_time": "2026-07-10T16:19:42.174843647Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / transform-es2015-sticky-regex

Package

Name
transform-es2015-sticky-regex
View open source insights on deps.dev
Purl
pkg:npm/transform-es2015-sticky-regex

Affected ranges

Affected versions

6.*
6.24.3

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "7101d604ce25ad6348c56195a9e60e17d659da8b08e9bd8c33db179d0b4c0bf30f423a",
            "sha256": "39b0ee92ac659176907527f02d21850b7fc2a9e53dd08fc77a35fe1196f62a27",
            "path": "package.json"
        },
        {
            "sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
            "tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "transform-es2015-sticky-regex-6.24.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-iXD+7MQC15SwqF+5ipjzGi3p4NE+JuAv3Lc+I8Yez6tjkXisxN73Fo0w5KVyZ09Gli1ePRY0TQIBoqlMyAKLrQ==",
                "sha1": "7ed38f2193f8510ea360731916240600b991357d"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/transform-es2015-sticky-regex/MAL-2026-10136.json"