Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10014: Malicious code in nodemon-sudo (npm)

0
Critical
Published: 07/09/2026 (07/09/2026, 12:35:13 UTC)
Source: GCVE Database
Product: nodemon-sudo

Description

The nodemon-sudo npm package is a malicious package that impersonates the legitimate nodemon package by reusing its metadata and CLI name. It includes an unrelated dependency not present in the original nodemon, causing potential dependency pollution. Although no direct evidence of data exfiltration or backdoors was observed, the package's CLI hijacking risk and injected dependencies pose a significant threat. Systems with this package installed should be considered compromised, and all secrets should be rotated. Removal of the package alone may not fully remediate the compromise.

Affected software

npmghsa
nodemon-sudo
Affected versions
=3.1.16

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 10:09:43 UTC

Technical Analysis

The nodemon-sudo package copies the legitimate nodemon package's identity, including author, homepage, and repository metadata, and uses the same CLI binary name 'nodemon', which can shadow the real nodemon CLI when installed globally. It introduces an unrelated dependency 'tslint-conf' not present in the upstream nodemon, potentially polluting downstream dependency graphs. While no direct malicious behavior such as data exfiltration or remote code execution at install time was observed, the package's design enables CLI hijacking and confusion, which can lead to compromise. According to the GHSA advisory, any system with this package installed should be considered fully compromised, requiring secret rotation and careful remediation.

Potential Impact

The primary impact is the potential full compromise of any computer with nodemon-sudo installed or running. The package's CLI hijacking can mislead developers and automated systems, potentially leading to execution of malicious code or unintended behavior. The injection of an unrelated dependency may introduce further risks. Secrets and keys stored on affected systems are at risk and must be rotated. Removing the package does not guarantee full remediation due to possible persistence of malicious software.

Mitigation Recommendations

Immediate removal of the nodemon-sudo package is recommended. All secrets and keys on affected systems should be rotated from a different, trusted computer. Due to the risk of full system compromise, a thorough investigation and remediation beyond package removal is advised. No official patch or fix exists as this is a malicious package impersonation; prevention involves verifying package authenticity before installation.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10014
Osv Schema Version
1.7.4
Aliases
["GHSA-8228-4gjp-c339"]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a50ba9168715ace43582308

Added to database: 07/10/2026, 09:25:37 UTC

Last enriched: 07/10/2026, 10:09:43 UTC

Last updated: 07/10/2026, 10:09:43 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses