OSV-MAL-2026-5310

Malicious code in regexp-ts (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9828b4712ac404ec6f143f9c3115eb73ccd4418bab9cb17327ae325d488954e1) regexp-ts masquerades as the pino logger (description, keywords, and `module.exports.pino` export) but is actually a remote-code-execution loader. When a consumer imports the package and invokes its middleware export, index.js unconditionally spawns lib/caller.js as a detached Node process. caller.js performs an HTTP GET to https://jsonkeeper.com/b/U2BTS, takes the `cookie` field of the JSON response, and runs it via `new Function.constructor('require', s)(require)` — executing arbitrary attacker-controlled JavaScript with full Node.js privileges and access to the host's `require`. Additional payload URLs (https://jsonkeeper.com/b/XRGF3 and https://jsonkeeper.com/b/4NAKK) are hidden as base64 strings in lib/const.js under cover names like `DEV_API_KEY`/`DEV_SECRET_KEY` to evade casual review. Because the payload host is a free anonymous JSON paste service, the executed code is mutable at any time without a package update. ## Source: ghsa-malware (33f86b654ba85b8393a661095dbca749a30cc352525fa1712773654a8221e2e3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.