OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5308 confirms this npm version as malicious. The package is published as 'nodemon-copack' but its package.json wholesale impersonates the legitimate nodemon project: homepage is set to https://nodemon.io, author is set to 'Remy Sharp', repository points to github.com/remy/nodemon, and a 'nodemon' bin entry installs a `nodemon` command into the consumer's PATH. The lib/* sources are a near-verbatim copy of upstream nodemon...
Advisory
MAL-2026-5308
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nodemon-copack (npm)
Details
The package is published as 'nodemon-copack' but its package.json wholesale impersonates the legitimate nodemon project: homepage is set to https://nodemon.io, author is set to 'Remy Sharp', repository points to github.com/remy/nodemon, and a 'nodemon' bin entry installs a `nodemon` command into the consumer's PATH. The lib/* sources are a near-verbatim copy of upstream nodemon. The manifest declares two runtime dependencies that are absent from upstream nodemon and are not referenced by any file shipped in this tarball: 'regex-js' (^1.1.5) and 'chai' (^4.4.1). A grep across lib/ and bin/ shows no `require('regex-js')` or `require('chai')`, so neither package serves any functional purpose here; their only effect is to be silently pulled into the installer's dependency graph by anyone who installs nodemon-copack believing it is a legitimate nodemon fork. chai is a test-assertion library normally placed in devDependencies; its presence in runtime dependencies, alongside the unreferenced regex-js, is consistent with a dependency-smuggling pattern where the actual payload would live in the smuggled package rather than in this one. No exfiltration, RCE, credential access, or install-time destructive action is present in the package itself; the harm shape is namespace impersonation plus transitive-dep injection, where the danger depends on what regex-js / chai resolve to at install time.
## Source: ghsa-malware (c19d51ffe2ef2fc40ac2efc32c5abe45d0f04280090bf17114c9cf87148cc1e3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms nodemon-copack@3.1.15 as malicious (MAL-2026-5308): Malicious code in nodemon-copack (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory