MAL-2026-10507

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nodemon-delog/MAL-2026-10507.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10507
Published
2026-07-13T22:12:25Z
Modified
2026-07-13T22:31:58.130583805Z
Summary
Malicious code in nodemon-delog (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ea1c5b4054d6daffaf190005db661027e29255ae20de1bb410f506de1f178532)

nodemon-delog is published under a name that resembles the widely-used nodemon package and ships a verbatim copy of nodemon's source tree, README, homepage (nodemon.io), author (Remy Sharp), and repository metadata (github.com/remy/nodemon), presenting itself as the real project. Its package.json declares two runtime dependencies that upstream nodemon does not use and that no file under lib/ or bin/ references: type-atob and chai. Because these are declared under dependencies, they are resolved and installed into the consumer's node_modules on npm install nodemon-delog, regardless of the fact that nodemon-delog's own code never imports them. The lure package itself contains no exfiltration or RCE code; the harm mechanism is the forced resolution of the sibling packages into the installer's dependency tree, where their install/require-time code will execute. The impersonation of an established package, combined with the presence of runtime dependencies unrelated to the advertised functionality and unreferenced by any shipped file, is the dependency-smuggling lure pattern.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T22:12:25Z",
            "versions": [
                "3.1.13"
            ],
            "sha256": "ea1c5b4054d6daffaf190005db661027e29255ae20de1bb410f506de1f178532",
            "import_time": "2026-07-13T22:21:57.568061923Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010348"
        }
    ]
}
References
Credits

Affected packages

npm / nodemon-delog

Package

Affected ranges

Affected versions

3.*
3.1.13

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "20410029eca9cda30ec815a5686901466135d90f8d80fc0cb3da636c4f5e57f70fca2e",
            "sha256": "1cfeb6899567dc7486337e1079c2e1daa211b977099fff6138a1a7252d31d2e3",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "4ba5a5f6a1f19564af018589fce9899f3715e5ec",
                "sha512_sri": "sha512-1aIVWvt/1iAxb3G9L0XjJJ9UJapiksek+B+VocSfdebcV6ey0260sXRDqNpgAJP+h62imv7NDsCUjcmxLUGKEg=="
            },
            "filename": "nodemon-delog-3.1.13.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nodemon-delog/MAL-2026-10507.json"