malware npm

nodemon-node

discovered 2026-07-09

First-pair carrier in the emiltype/jsonspack operation, taken down by npm (now a 0.0.1-security holding package; the malicious 3.1.16 tarball is no longer served, registry returns a 21-byte JSON placeholder). Per SafeDep its backdoor is byte-identical to tslint-conf's and it references the SAME Pinata IPFS CID and the SAME jsonkeeper.com/b/XRGF3 dead-drop. Its payload partner was ts-await (also taken down; malicious version not captured). Tarball hash not recoverable.

Threat types

typosquat other

Malicious versions

  • 3.1.16

Campaigns

Indicators

Techniques

Read the full analysis →