VDB
KO

MAL-2026-10508

Malicious code in nodemon-elint (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (869b2e1ce23c7668369cd6316bca7d3f8a564fa575ebbee8d1e3cf6a68d4ccaa) nodemon-elint@3.1.13 copies the source tree, README, author metadata, and homepage of the legitimate `nodemon` package but is published under a confusable name. Its package.json declares a runtime dependency on `type-elint@^3.3.7`, which is not required or imported by any file under lib/ and has no documented purpose in the package. Installing nodemon-elint therefore causes npm to resolve and install `type-elint` into the installer's dependency tree, where any install-time lifecycle scripts or require-time side effects in that sibling package execute on the installer's machine. The package.json also lists `chai@^4.4.1` — a test assertion library — under `dependencies` rather than `devDependencies`, with no `require('chai')` anywhere in lib/, an additional anomalous production dependency inconsistent with upstream nodemon. The pattern (name-confusion wrapper of a popular package + undocumented, unused sibling dependency whose name mirrors the typosquat scheme) is a dependency-chain drop: the wrapper itself contains no visible payload, but installing it pulls in attacker-controlled code via the forced dependency.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nodemon-elint

No fixed version published yet for nodemon-elint (npm). Pin to a known-safe version or switch to an alternative.

References