regexp-ts @2.1.7
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5310
Ecosystem
npm
Summary
regexp-ts masquerades as the pino logger (description, keywords, and module.exports.pino export) but is actually a remote-code-execution loader. When a consumer imports the package and invokes its middleware export, index.js unconditionally spawns lib/caller.js as a detached Node process. caller.js performs an HTTP GET to https://jsonkeeper.com/b/U2BTS, takes the cookie field of the JSON response, and runs it via new Function.constructor('require', s)(require) — executing arbitrary attacker-controlled JavaScript with full Node.js privileges and access to the host's require . Additional payload URLs (https://jsonkeeper.com/b/XRGF3 and https://jsonkeeper.com/b/4NAKK) are hidden as base64 strings in lib/const.js under cover names like DEV_API_KEY / DEV_SECRET_KEY to evade casual review. Because the payload host is a free anonymous JSON paste service, the executed code is mutable at any time without a package update.
Source: amazon-inspector (9828b4712ac404ec6f143f9c3115eb73ccd4418bab9cb17327ae325d488954e1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.