MAL-2026-10103: Malicious code in optimize-regex (npm)
The npm package 'optimize-regex' version 1.2.1 is identified as malicious. It declares itself as a dependency resolved via an untrusted plain-HTTP tarball URL hosted on an unrelated domain (pack.nppacks.com), outside the official npm registry. This setup allows the remote host to control the code installed during 'npm install', potentially delivering malicious payloads. The package's visible code is a near-verbatim clone of a legitimate package but serves as a decoy while the actual malicious code is delivered through URL-scheme dependency resolution.
AI Analysis
Technical Summary
The 'optimize-regex' npm package version 1.2.1 is compromised by using a dependency URL that points to an untrusted, non-npm domain over unencrypted HTTP. This allows an attacker controlling the host pack.nppacks.com to serve arbitrary code during installation, effectively hijacking the package installation process. The package's index.js file mimics a legitimate package to disguise its true malicious intent, which is delivered via URL-scheme dependency resolution. This represents a supply chain attack vector through dependency resolution in npm.
Potential Impact
Users installing 'optimize-regex' version 1.2.1 may unknowingly execute malicious code controlled by an attacker due to the untrusted HTTP tarball source. This compromises the integrity of the software supply chain and can lead to arbitrary code execution in the context of the installing environment. No known exploits in the wild have been reported yet.
Mitigation Recommendations
Avoid using 'optimize-regex' version 1.2.1 from untrusted sources. Since no official patch or fix is indicated, users should remove this package from their dependencies and replace it with a trusted alternative or wait for an official fix. Verify all package sources use HTTPS and are from the official npm registry. Monitor vendor advisories for updates regarding this package.
MAL-2026-10103: Malicious code in optimize-regex (npm)
Description
The npm package 'optimize-regex' version 1.2.1 is identified as malicious. It declares itself as a dependency resolved via an untrusted plain-HTTP tarball URL hosted on an unrelated domain (pack.nppacks.com), outside the official npm registry. This setup allows the remote host to control the code installed during 'npm install', potentially delivering malicious payloads. The package's visible code is a near-verbatim clone of a legitimate package but serves as a decoy while the actual malicious code is delivered through URL-scheme dependency resolution.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'optimize-regex' npm package version 1.2.1 is compromised by using a dependency URL that points to an untrusted, non-npm domain over unencrypted HTTP. This allows an attacker controlling the host pack.nppacks.com to serve arbitrary code during installation, effectively hijacking the package installation process. The package's index.js file mimics a legitimate package to disguise its true malicious intent, which is delivered via URL-scheme dependency resolution. This represents a supply chain attack vector through dependency resolution in npm.
Potential Impact
Users installing 'optimize-regex' version 1.2.1 may unknowingly execute malicious code controlled by an attacker due to the untrusted HTTP tarball source. This compromises the integrity of the software supply chain and can lead to arbitrary code execution in the context of the installing environment. No known exploits in the wild have been reported yet.
Mitigation Recommendations
Avoid using 'optimize-regex' version 1.2.1 from untrusted sources. Since no official patch or fix is indicated, users should remove this package from their dependencies and replace it with a trusted alternative or wait for an official fix. Verify all package sources use HTTPS and are from the official npm registry. Monitor vendor advisories for updates regarding this package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10103
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba4568715ace4357e5a6
Added to database: 07/10/2026, 09:24:21 UTC
Last enriched: 07/10/2026, 09:35:37 UTC
Last updated: 07/10/2026, 09:35:37 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.