registry  /  nodemon-elint  /  3.1.13

nodemon-elint@3.1.13

Simple monitor script for use during development of a Node.js app.

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10508 confirms this npm version as malicious. nodemon-elint@3.1.13 copies the source tree, README, author metadata, and homepage of the legitimate `nodemon` package but is published under a confusable name. Its package.json declares a runtime dependency on `type-elint@^3.3.7`, which is not required or imported by any file under lib/ and has no documented purpose in the package...

Advisory
MAL-2026-10508
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nodemon-elint (npm)
Details
nodemon-elint@3.1.13 copies the source tree, README, author metadata, and homepage of the legitimate `nodemon` package but is published under a confusable name. Its package.json declares a runtime dependency on `type-elint@^3.3.7`, which is not required or imported by any file under lib/ and has no documented purpose in the package. Installing nodemon-elint therefore causes npm to resolve and install `type-elint` into the installer's dependency tree, where any install-time lifecycle scripts or require-time side effects in that sibling package execute on the installer's machine. The package.json also lists `chai@^4.4.1` — a test assertion library — under `dependencies` rather than `devDependencies`, with no `require('chai')` anywhere in lib/, an additional anomalous production dependency inconsistent with upstream nodemon. The pattern (name-confusion wrapper of a popular package + undocumented, unused sibling dependency whose name mirrors the typosquat scheme) is a dependency-chain drop: the wrapper itself contains no visible payload, but installing it pulls in attacker-controlled code via the forced dependency.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 82.2 KB of source, external domains: git.io, github.com

Source & flagged code

2 flagged · loading source
bin/nodemon.jsView file
2L3: const cli = require('../lib/cli'); L4: const nodemon = require('../lib/');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/nodemon.jsView on unpkg · L2
bin/windows-kill.exeView file
path = bin/windows-kill.exe kind = native_binary sizeBytes = 80384 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/windows-kill.exeView on unpkg

Findings

4 Medium3 Low
MediumDynamic Requirebin/nodemon.js
MediumEnvironment Vars
MediumShips Native Binarybin/windows-kill.exe
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings