nodemon-sudo: an npm Backdoor With No Install Script
2026-07-09 • Safe Dep •
https://safedep.io/malicious-nodemon-sudo-tslint-conf-npm-backdoor/
`nodemon-sudo` v3.1.16 is a malicious npm lookalike that copies legitimate nodemon while adding an unused dependency on `tslint-conf`, a repackaged pino logger containing the backdoor. The payload avoids install hooks and import-time execution; it runs only when the fake logger middleware is called, spawning a detached Node process that fetches JavaScript from a Pinata IPFS gateway and executes it with real `require` access. SafeDep links the package pair to earlier `nodemon-node` and `ts-await` activity through reused code, IPFS and jsonkeeper infrastructure, and notes a resemblance to a North Korea-linked npm cluster documented elsewhere, but states that attribution is technique-based and not confirmed.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | d10853dde92fdc48d8cb5505d89e003… | 2026-07-09 | 2026-07-09 |
| HASH | 541c35bd90653c9d7f93cdadb7f52c2… | 2026-07-09 | 2026-07-09 |
| HASH | 2956b023858d706a5e241cd28b84508… | 2026-07-09 | 2026-07-09 |
| HASH | d4b7add83e5c716b5e52082f713d71e… | 2026-07-09 | 2026-07-09 |
| HASH | aa9b9847e4ffd894a19ec9712848651… | 2026-07-09 | 2026-07-09 |
| URL | https://peach-eligible-penguin-… | 2026-07-09 | 2026-07-09 |
| URL | https://peach-eligible-penguin-… | 2026-07-09 | 2026-07-09 |
| URL | https://jsonkeeper.com/b/XRGF3 | 2026-02-19 | 2026-07-09 |
| URL | https://jsonkeeper.com/b/4NAKK | 2026-02-19 | 2026-07-09 |