nodemon-web @3.1.13
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10515
Ecosystem
npm
Summary
nodemon-web copies the source of the popular nodemon package verbatim and reuses Remy Sharp's author metadata and the https://github.com/remy/nodemon.git repository URL, while publishing under a lookalike name from an unrelated account. package.json declares a runtime dependency on type-swap@^3.1.3 that is not required or imported anywhere in the package's own code; the real nodemon has no such dependency. Installing nodemon-web therefore silently resolves and installs type-swap into the consumer's node_modules under cover of a familiar name and impersonated maintainer identity, adding third-party code to the installer's dependency tree that the package itself never uses.
Source: amazon-inspector (c3f5aa35dd34f3c1d075d6ebee3f25a0445780f6f2c78d55a958868e530fe315)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.