OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10508 confirms this npm version as malicious. nodemon-elint@3.1.13 copies the source tree, README, author metadata, and homepage of the legitimate `nodemon` package but is published under a confusable name. Its package.json declares a runtime dependency on `type-elint@^3.3.7`, which is not required or imported by any file under lib/ and has no documented purpose in the package...
Advisory
MAL-2026-10508
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nodemon-elint (npm)
Details
nodemon-elint@3.1.13 copies the source tree, README, author metadata, and homepage of the legitimate `nodemon` package but is published under a confusable name. Its package.json declares a runtime dependency on `type-elint@^3.3.7`, which is not required or imported by any file under lib/ and has no documented purpose in the package. Installing nodemon-elint therefore causes npm to resolve and install `type-elint` into the installer's dependency tree, where any install-time lifecycle scripts or require-time side effects in that sibling package execute on the installer's machine. The package.json also lists `chai@^4.4.1` — a test assertion library — under `dependencies` rather than `devDependencies`, with no `require('chai')` anywhere in lib/, an additional anomalous production dependency inconsistent with upstream nodemon. The pattern (name-confusion wrapper of a popular package + undocumented, unused sibling dependency whose name mirrors the typosquat scheme) is a dependency-chain drop: the wrapper itself contains no visible payload, but installing it pulls in attacker-controlled code via the forced dependency.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
UrlStrings
Source & flagged code
2 flagged · loading sourcebin/nodemon.jsView file
2L3: const cli = require('../lib/cli');
L4: const nodemon = require('../lib/');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/nodemon.jsView on unpkg · L2bin/windows-kill.exeView file
•path = bin/windows-kill.exe
kind = native_binary
sizeBytes = 80384
magicHex = [redacted]
Medium
Findings
4 Medium3 Low
MediumDynamic Requirebin/nodemon.js
MediumEnvironment Vars
MediumShips Native Binarybin/windows-kill.exe
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings