nodemon-patch @3.1.16
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 4:33 PM UTC
OSV ID
MAL-2026-10110
Ecosystem
npm
Summary
The package is named nodemon-patch but its package.json metadata (homepage https://nodemon.io, author Remy Sharp / github.com/remy, repository, funding) and lib/ source are copied verbatim from the legitimate nodemon package by Remy Sharp. The package author has not published nodemon and the name is a single-suffix variant of a top-100 npm package, consistent with namespace impersonation. The local lib/ code mirrors upstream nodemon and is functionally benign on its own, but package.json declares a runtime dependency on webpack-patch@^1.1.7 — a similarly-shaped *-patch name that is not a dependency of real nodemon and does not correspond to any established OSS library — plus chai as a runtime (not dev) dependency. Any developer who runs npm i nodemon-patch expecting nodemon will silently pull webpack-patch into their dependency tree, where its install/require-time code would execute. The combination of cloned identity metadata + a same-suffix sibling dependency with no legitimate provenance is the namespace-abuse / dropper-lure shape, but confirming installer harm requires inspecting webpack-patch itself.
Source: amazon-inspector (15ac606888cb1a54710bafa78dc76d760bef1088bb5e2cc0f0323614341345e5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.