npm

transform-es2015-sticky-regex @6.24.3

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC

Malicious

OSV ID

MAL-2026-10136

Ecosystem

npm

Summary

package.json declares both a dependency and a devDependency on 'transform-es2015-sticky-regex' pointing at http://pack.nppacks.com/npm/transform-es2015-sticky-regex. On npm install , npm fetches whatever tarball that plain-HTTP, non-registry host currently serves and installs it into node_modules with no version pin and no integrity hash — the maintainer of pack.nppacks.com can substitute arbitrary code at any time and it will land in the installer's dependency tree on the next install. The package name is also a namespace-confusion of the well-known 'babel-plugin-transform-es2015-sticky-regex' (Babel plugin naming convention prefixes 'babel-plugin-'); the shipped index.js does not implement the sticky-regex transform but a DefinePlugin-style identifier replacer, and a source comment states the package is 'for Security Research Testing Purpose'. Additional network-capable dependencies (axios, node-fetch, ws) are declared but unused by the shipped code, pre-staging network primitives for whatever the swapped tarball chooses to import.

Source: amazon-inspector (eadf76ef8e123f9ce50c2910c71912996a3d079a91076ffed8d29830a1687ae1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.