registry  /  transform-es2015-sticky-regex  /  6.24.3

transform-es2015-sticky-regex@6.24.3

NPM

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10136 confirms this npm version as malicious. package.json declares both a dependency and a devDependency on 'transform-es2015-sticky-regex' pointing at http://pack.nppacks.com/npm/transform-es2015-sticky-regex. On `npm install`, npm fetches whatever tarball that plain-HTTP, non-registry host currently serves and installs it into node_modules with no version pin and no integrity hash — the maintainer of pack.nppacks.com can substitute arbitrary code at any time...

Advisory
MAL-2026-10136
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in transform-es2015-sticky-regex (npm)
Details
package.json declares both a dependency and a devDependency on 'transform-es2015-sticky-regex' pointing at http://pack.nppacks.com/npm/transform-es2015-sticky-regex. On `npm install`, npm fetches whatever tarball that plain-HTTP, non-registry host currently serves and installs it into node_modules with no version pin and no integrity hash — the maintainer of pack.nppacks.com can substitute arbitrary code at any time and it will land in the installer's dependency tree on the next install. The package name is also a namespace-confusion of the well-known 'babel-plugin-transform-es2015-sticky-regex' (Babel plugin naming convention prefixes 'babel-plugin-'); the shipped index.js does not implement the sticky-regex transform but a DefinePlugin-style identifier replacer, and a source comment states the package is 'for Security Research Testing Purpose'. Additional network-capable dependencies (axios, node-fetch, ws) are declared but unused by the shipped code, pre-staging network primitives for whatever the swapped tarball chooses to import.
Decision reason
OpenSSF Malicious Packages via OSV confirms transform-es2015-sticky-regex@6.24.3 as malicious (MAL-2026-10136): Malicious code in transform-es2015-sticky-regex (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory