npm

nodemon-slint @3.1.13

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10117

Ecosystem

npm

Summary

Package name, README, homepage (nodemon.io), author (remy), and source tree are copied verbatim from the widely-used 'nodemon' package, with the addition of a single novel runtime dependency 'type-slint' (^3.3.7) declared in package.json. That dependency is never imported by any file reachable from the declared main (lib/nodemon.js) or from bin/, so it serves no functional purpose within this package. The only installer-facing effect of the manifest change relative to nodemon is that 'npm install nodemon-slint' also resolves and installs 'type-slint' into the installer's dependency tree, where any install-time hooks or load-time side effects it contains will run. The host package itself does not exhibit exfiltration, install-time RCE, or backdoor behavior in its own code; the risk is carried by the co-installed sibling. Name similarity to 'nodemon' (a top-tier package) plus injection of an unreferenced dependency is the namespace-abuse / typosquat-dropper shape.

Source: amazon-inspector (5488028be686500c0af6b7f91ead55be9ddaeb86f3b920fce7eed6f8111b0050)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.