MAL-2026-10014: Malicious code in nodemon-sudo (npm)
The nodemon-sudo npm package is a malicious package that impersonates the legitimate nodemon package by reusing its metadata and CLI name. It includes an unrelated dependency not present in the original nodemon, causing potential dependency pollution. Although no direct evidence of data exfiltration or backdoors was observed, the package's CLI hijacking risk and injected dependencies pose a significant threat. Systems with this package installed should be considered compromised, and all secrets should be rotated. Removal of the package alone may not fully remediate the compromise.
AI Analysis
Technical Summary
The nodemon-sudo package copies the legitimate nodemon package's identity, including author, homepage, and repository metadata, and uses the same CLI binary name 'nodemon', which can shadow the real nodemon CLI when installed globally. It introduces an unrelated dependency 'tslint-conf' not present in the upstream nodemon, potentially polluting downstream dependency graphs. While no direct malicious behavior such as data exfiltration or remote code execution at install time was observed, the package's design enables CLI hijacking and confusion, which can lead to compromise. According to the GHSA advisory, any system with this package installed should be considered fully compromised, requiring secret rotation and careful remediation.
Potential Impact
The primary impact is the potential full compromise of any computer with nodemon-sudo installed or running. The package's CLI hijacking can mislead developers and automated systems, potentially leading to execution of malicious code or unintended behavior. The injection of an unrelated dependency may introduce further risks. Secrets and keys stored on affected systems are at risk and must be rotated. Removing the package does not guarantee full remediation due to possible persistence of malicious software.
Mitigation Recommendations
Immediate removal of the nodemon-sudo package is recommended. All secrets and keys on affected systems should be rotated from a different, trusted computer. Due to the risk of full system compromise, a thorough investigation and remediation beyond package removal is advised. No official patch or fix exists as this is a malicious package impersonation; prevention involves verifying package authenticity before installation.
MAL-2026-10014: Malicious code in nodemon-sudo (npm)
Description
The nodemon-sudo npm package is a malicious package that impersonates the legitimate nodemon package by reusing its metadata and CLI name. It includes an unrelated dependency not present in the original nodemon, causing potential dependency pollution. Although no direct evidence of data exfiltration or backdoors was observed, the package's CLI hijacking risk and injected dependencies pose a significant threat. Systems with this package installed should be considered compromised, and all secrets should be rotated. Removal of the package alone may not fully remediate the compromise.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The nodemon-sudo package copies the legitimate nodemon package's identity, including author, homepage, and repository metadata, and uses the same CLI binary name 'nodemon', which can shadow the real nodemon CLI when installed globally. It introduces an unrelated dependency 'tslint-conf' not present in the upstream nodemon, potentially polluting downstream dependency graphs. While no direct malicious behavior such as data exfiltration or remote code execution at install time was observed, the package's design enables CLI hijacking and confusion, which can lead to compromise. According to the GHSA advisory, any system with this package installed should be considered fully compromised, requiring secret rotation and careful remediation.
Potential Impact
The primary impact is the potential full compromise of any computer with nodemon-sudo installed or running. The package's CLI hijacking can mislead developers and automated systems, potentially leading to execution of malicious code or unintended behavior. The injection of an unrelated dependency may introduce further risks. Secrets and keys stored on affected systems are at risk and must be rotated. Removing the package does not guarantee full remediation due to possible persistence of malicious software.
Mitigation Recommendations
Immediate removal of the nodemon-sudo package is recommended. All secrets and keys on affected systems should be rotated from a different, trusted computer. Due to the risk of full system compromise, a thorough investigation and remediation beyond package removal is advised. No official patch or fix exists as this is a malicious package impersonation; prevention involves verifying package authenticity before installation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10014
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-8228-4gjp-c339"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba9168715ace43582308
Added to database: 07/10/2026, 09:25:37 UTC
Last enriched: 07/10/2026, 10:09:43 UTC
Last updated: 07/10/2026, 10:09:43 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.