VDB
KO

MAL-2026-10136

Malicious code in transform-es2015-sticky-regex (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (eadf76ef8e123f9ce50c2910c71912996a3d079a91076ffed8d29830a1687ae1) package.json declares both a dependency and a devDependency on 'transform-es2015-sticky-regex' pointing at http://pack.nppacks.com/npm/transform-es2015-sticky-regex. On `npm install`, npm fetches whatever tarball that plain-HTTP, non-registry host currently serves and installs it into node_modules with no version pin and no integrity hash — the maintainer of pack.nppacks.com can substitute arbitrary code at any time and it will land in the installer's dependency tree on the next install. The package name is also a namespace-confusion of the well-known 'babel-plugin-transform-es2015-sticky-regex' (Babel plugin naming convention prefixes 'babel-plugin-'); the shipped index.js does not implement the sticky-regex transform but a DefinePlugin-style identifier replacer, and a source comment states the package is 'for Security Research Testing Purpose'. Additional network-capable dependencies (axios, node-fetch, ws) are declared but unused by the shipped code, pre-staging network primitives for whatever the swapped tarball chooses to import.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / transform-es2015-sticky-regex

No fixed version published yet for transform-es2015-sticky-regex (npm). Pin to a known-safe version or switch to an alternative.

References