npm

nodemon-copack @3.1.16

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-5308

Ecosystem

npm

Summary

The package is published as 'nodemon-copack' but its package.json wholesale impersonates the legitimate nodemon project: homepage is set to https://nodemon.io, author is set to 'Remy Sharp', repository points to github.com/remy/nodemon, and a 'nodemon' bin entry installs a nodemon command into the consumer's PATH. The lib/* sources are a near-verbatim copy of upstream nodemon. The manifest declares two runtime dependencies that are absent from upstream nodemon and are not referenced by any file shipped in this tarball: 'regex-js' (^1.1.5) and 'chai' (^4.4.1). A grep across lib/ and bin/ shows no require('regex-js') or require('chai') , so neither package serves any functional purpose here; their only effect is to be silently pulled into the installer's dependency graph by anyone who installs nodemon-copack believing it is a legitimate nodemon fork. chai is a test-assertion library normally placed in devDependencies; its presence in runtime dependencies, alongside the unreferenced regex-js, is consistent with a dependency-smuggling pattern where the actual payload would live in the smuggled package rather than in this one. No exfiltration, RCE, credential access, or install-time destructive action is present in the package itself; the harm shape is namespace impersonation plus transitive-dep injection, where the danger depends on what regex-js / chai resolve to at install time.

Source: amazon-inspector (ad79a82314fcc935b1dbdcb12ca1c413af27877e51058a02665471744f2bcd7a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.