nodemon-elint @3.1.13
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10508
Ecosystem
npm
Summary
nodemon-elint@3.1.13 copies the source tree, README, author metadata, and homepage of the legitimate nodemon package but is published under a confusable name. Its package.json declares a runtime dependency on type-elint@^3.3.7 , which is not required or imported by any file under lib/ and has no documented purpose in the package. Installing nodemon-elint therefore causes npm to resolve and install type-elint into the installer's dependency tree, where any install-time lifecycle scripts or require-time side effects in that sibling package execute on the installer's machine. The package.json also lists chai@^4.4.1 — a test assertion library — under dependencies rather than devDependencies , with no require('chai') anywhere in lib/, an additional anomalous production dependency inconsistent with upstream nodemon. The pattern (name-confusion wrapper of a popular package + undocumented, unused sibling dependency whose name mirrors the typosquat scheme) is a dependency-chain drop: the wrapper itself contains no visible payload, but installing it pulls in attacker-controlled code via the forced dependency.
Source: amazon-inspector (869b2e1ce23c7668369cd6316bca7d3f8a564fa575ebbee8d1e3cf6a68d4ccaa)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.