MAL-2026-10065
Malicious code in nodemon-gulp (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (04b5ac5c522b156a64f943a2d8e2dfd170230d0a23ac0bae5ada0945c7aee4c7) The package name `nodemon-gulp` impersonates the widely used `nodemon` package (and collides with the legitimate `gulp-nodemon`). The tarball is a near-verbatim copy of the real nodemon source with the original author/homepage metadata reused as cover. The manifest declares `ts-webplug@^3.0.5` (and `chai`, normally a devDependency) under `dependencies`, but neither package is `require()`d anywhere under `lib/` or `bin/`. Because the deps are unused by the wrapper, their only effect is to be resolved and installed onto any machine that runs `npm install nodemon-gulp` — the typosquat wrapper is inert, and the installer-facing payload lives in the transitive package `ts-webplug`, which is silently pulled into the dependency tree. This is the standard typosquat-plus-dependency-injection dropper shape: a familiar-looking clone that exists to deliver an attacker-controlled transitive.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for nodemon-gulp (npm). Pin to a known-safe version or switch to an alternative.