malware npm

nodemon-sudo

discovered 2026-07-09

Byte-for-byte clone of the real nodemon process monitor (keeps author 'Remy Sharp', real bin/nodemon.js and every lib file), version-inflated to 3.1.16 (one bump above real nodemon 3.1.14) to read as ahead of upstream. Carrier only: injects a single malicious runtime dependency, [email protected] (and promotes chai to a runtime dep); nodemon-sudo's own code never imports tslint-conf. No install lifecycle hook. Published 2026-07-07 by npm account conodeeth. SafeDep isMalware=true CONFIDENCE_HIGH.

Threat types

typosquat other

Malicious versions

  • 3.1.16 · aa9b9847e4ffd894…

Campaigns

Indicators

Techniques

Read the full analysis →