Which versions of regexp-ts are malicious?

The following npm versions of regexp-ts are flagged malicious: 2.1.7. Treat any of these as compromised.

How do I remediate regexp-ts if I installed it?

Remove regexp-ts from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is regexp-ts part of a known attack campaign?

Yes — regexp-ts is associated with the GHSA-5p9w-932r-cr5f, IN-MAL-2026-006184 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect regexp-ts in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking regexp-ts and packages like it before any post-install script runs.

Malicious package

regexp-tsnpm

Malicious code in regexp-ts (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5310

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall regexp-ts

What this malware does

regexp-ts masquerades as the pino logger (description, keywords, and module.exports.pino export) but is actually a remote-code-execution loader. When a consumer imports the package and invokes its middleware export, index.js unconditionally spawns lib/caller.js as a detached Node process. caller.js performs an HTTP GET to https://jsonkeeper.com/b/U2BTS, takes the cookie field of the JSON response, and runs it via new Function.constructor('require', s)(require) — executing arbitrary attacker-controlled JavaScript with full Node.js privileges and access to the host's require. Additional payload URLs (https://jsonkeeper.com/b/XRGF3 and https://jsonkeeper.com/b/4NAKK) are hidden as base64 strings in lib/const.js under cover names like DEV_API_KEY/DEV_SECRET_KEY to evade casual review. Because the payload host is a free anonymous JSON paste service, the executed code is mutable at any time without a package update.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malicious versions

1 flagged

2.1.7

Indicators of compromise (SHA-256)

33f86b654ba85b8393a661095dbca749a30cc352525fa1712773654a8221e2e3

9828b4712ac404ec6f143f9c3115eb73ccd4418bab9cb17327ae325d488954e1

Frequently asked questions

No. regexp-ts on npm has been identified as a malicious package (version 2.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-5p9w-932r-cr5fIN-MAL-2026-006184

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection