nodemon-gulp @3.1.16
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10065
Ecosystem
npm
Summary
The package name nodemon-gulp impersonates the widely used nodemon package (and collides with the legitimate gulp-nodemon ). The tarball is a near-verbatim copy of the real nodemon source with the original author/homepage metadata reused as cover. The manifest declares ts-webplug@^3.0.5 (and chai , normally a devDependency) under dependencies , but neither package is require() d anywhere under lib/ or bin/ . Because the deps are unused by the wrapper, their only effect is to be resolved and installed onto any machine that runs npm install nodemon-gulp — the typosquat wrapper is inert, and the installer-facing payload lives in the transitive package ts-webplug , which is silently pulled into the dependency tree. This is the standard typosquat-plus-dependency-injection dropper shape: a familiar-looking clone that exists to deliver an attacker-controlled transitive.
Source: amazon-inspector (04b5ac5c522b156a64f943a2d8e2dfd170230d0a23ac0bae5ada0945c7aee4c7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.