registry  /  optimize-regex  /  1.2.1

optimize-regex@1.2.1

NPM

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10103 confirms this npm version as malicious. package.json declares `optimize-regex` as a dependency (and devDependency) of itself, resolved via a plain-HTTP tarball URL at http://pack.nppacks.com/npm/optimize-regex — a host unrelated to the package's publisher and outside the npm registry. On `npm install`, npm fetches and installs whatever bytes that URL currently serves as the same package name, giving the operator of pack.nppacks.com full control over the...

Advisory
MAL-2026-10103
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in optimize-regex (npm)
Details
package.json declares `optimize-regex` as a dependency (and devDependency) of itself, resolved via a plain-HTTP tarball URL at http://pack.nppacks.com/npm/optimize-regex — a host unrelated to the package's publisher and outside the npm registry. On `npm install`, npm fetches and installs whatever bytes that URL currently serves as the same package name, giving the operator of pack.nppacks.com full control over the code that ends up in the installer's node_modules. The URL is unpinned (no hash, no version), served over cleartext HTTP (mutable in transit as well as at the host), and the visible index.js is a near-verbatim clone of babel-plugin-transform-define with a package name and description that do not match that functionality — a decoy while the actual payload is delivered through URL-scheme dependency resolution.
Decision reason
OpenSSF Malicious Packages via OSV confirms optimize-regex@1.2.1 as malicious (MAL-2026-10103): Malicious code in optimize-regex (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory