nodemon-sudo: an npm Backdoor With No Install Script

2026-07-09 Safe Dep

https://safedep.io/malicious-nodemon-sudo-tslint-conf-npm-backdoor/

Thumbnail for nodemon-sudo: an npm Backdoor With No Install Script

`nodemon-sudo` v3.1.16 is a malicious npm lookalike that copies legitimate nodemon while adding an unused dependency on `tslint-conf`, a repackaged pino logger containing the backdoor. The payload avoids install hooks and import-time execution; it runs only when the fake logger middleware is called, spawning a detached Node process that fetches JavaScript from a Pinata IPFS gateway and executes it with real `require` access. SafeDep links the package pair to earlier `nodemon-node` and `ts-await` activity through reused code, IPFS and jsonkeeper infrastructure, and notes a resemblance to a North Korea-linked npm cluster documented elsewhere, but states that attribution is technique-based and not confirmed.

Indicators of Compromise

Type Value First Seen Last Seen
HASH d10853dde92fdc48d8cb5505d89e003… 2026-07-09 2026-07-09
HASH 541c35bd90653c9d7f93cdadb7f52c2… 2026-07-09 2026-07-09
HASH 2956b023858d706a5e241cd28b84508… 2026-07-09 2026-07-09
HASH d4b7add83e5c716b5e52082f713d71e… 2026-07-09 2026-07-09
HASH aa9b9847e4ffd894a19ec9712848651… 2026-07-09 2026-07-09
URL https://peach-eligible-penguin-… 2026-07-09 2026-07-09
URL https://peach-eligible-penguin-… 2026-07-09 2026-07-09
URL https://jsonkeeper.com/b/XRGF3 2026-02-19 2026-07-09
URL https://jsonkeeper.com/b/4NAKK 2026-02-19 2026-07-09

Related Reports

« Back