nodemon-sudo @3.1.16
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10014
Ecosystem
npm
Summary
Package nodemon-sudo copies upstream nodemon 's identity — package.json reuses Remy Sharp as author, https://nodemon.io as homepage, and github.com/remy/nodemon.git as repository, and ships an essentially unmodified copy of nodemon's source. The bin entry is named nodemon , so a global install shadows the real nodemon CLI in the installer's PATH. The manifest additionally declares tslint-conf in dependencies , which is not part of upstream nodemon's dependency set and has no role in nodemon's runtime; installing nodemon-sudo therefore pulls this unrelated third-party package into the installer's node_modules. The package itself was not observed exfiltrating data, executing remote code at install time, or shipping a backdoor — the concern is name-confusion (a developer following a tutorial that suggests sudo may install this instead of nodemon ), CLI hijack via the shared nodemon bin name, and the injection of an off-purpose dependency into downstream dependency graphs.
Source: amazon-inspector (ffc26c0e85db45d7e314fbce4140e9abda3f2eb0912cf1bd9259572a7b7d8f33)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.