malware
npm
nodemon-node
discovered 2026-07-09First-pair carrier in the emiltype/jsonspack operation, taken down by npm (now a 0.0.1-security holding package; the malicious 3.1.16 tarball is no longer served, registry returns a 21-byte JSON placeholder). Per SafeDep its backdoor is byte-identical to tslint-conf's and it references the SAME Pinata IPFS CID and the SAME jsonkeeper.com/b/XRGF3 dead-drop. Its payload partner was ts-await (also taken down; malicious version not captured). Tarball hash not recoverable.
Threat types
typosquat other
Malicious versions
- 3.1.16