{"id":"MAL-2026-10136","summary":"Malicious code in transform-es2015-sticky-regex (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (eadf76ef8e123f9ce50c2910c71912996a3d079a91076ffed8d29830a1687ae1)\npackage.json declares both a dependency and a devDependency on 'transform-es2015-sticky-regex' pointing at http://pack.nppacks.com/npm/transform-es2015-sticky-regex. On `npm install`, npm fetches whatever tarball that plain-HTTP, non-registry host currently serves and installs it into node_modules with no version pin and no integrity hash — the maintainer of pack.nppacks.com can substitute arbitrary code at any time and it will land in the installer's dependency tree on the next install. The package name is also a namespace-confusion of the well-known 'babel-plugin-transform-es2015-sticky-regex' (Babel plugin naming convention prefixes 'babel-plugin-'); the shipped index.js does not implement the sticky-regex transform but a DefinePlugin-style identifier replacer, and a source comment states the package is 'for Security Research Testing Purpose'. Additional network-capable dependencies (axios, node-fetch, ws) are declared but unused by the shipped code, pre-staging network primitives for whatever the swapped tarball chooses to import.\n","modified":"2026-07-10T16:31:59.449297214Z","published":"2026-07-10T15:39:56Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"eadf76ef8e123f9ce50c2910c71912996a3d079a91076ffed8d29830a1687ae1","modified_time":"2026-07-10T15:39:56Z","import_time":"2026-07-10T16:19:42.174843647Z","versions":["6.24.3"],"id":"IN-MAL-2026-009622"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/transform-es2015-sticky-regex/v/6.24.3"}],"affected":[{"package":{"name":"transform-es2015-sticky-regex","ecosystem":"npm","purl":"pkg:npm/transform-es2015-sticky-regex"},"versions":["6.24.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/transform-es2015-sticky-regex/MAL-2026-10136.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"39b0ee92ac659176907527f02d21850b7fc2a9e53dd08fc77a35fe1196f62a27","path":"package.json","tlsh":"7101d604ce25ad6348c56195a9e60e17d659da8b08e9bd8c33db179d0b4c0bf30f423a"},{"sha256":"f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41","path":"index.js","tlsh":"71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1"}],"package_integrity":[{"hashes":{"sha1":"7ed38f2193f8510ea360731916240600b991357d","sha512_sri":"sha512-iXD+7MQC15SwqF+5ipjzGi3p4NE+JuAv3Lc+I8Yez6tjkXisxN73Fo0w5KVyZ09Gli1ePRY0TQIBoqlMyAKLrQ=="},"filename":"transform-es2015-sticky-regex-6.24.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}