{"id":"MAL-2026-2210","summary":"Malicious code in @opengov/form-builder (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (19bbc2729962e719c0df5dd96e17dd7ceb90a0a5506ebb318cc50c19b6fe8bb8)\nThe package @opengov/form-builder was found to contain malicious code.\n\n## Source: google-open-source-security (6dc5a2428a8b5ce0761da68e9d844924839e8681b388bdd1b8ceea88237e4cfc)\nThis package was compromised by the CanisterWorm campaign by the TeamPCP\nthreat actor. The malicious payload establishes persistence as user systemd\nservice and places a backdoor on the infected host. The malware will also\nharvest npm credentials and can autonomously spread.\n","modified":"2026-03-31T03:21:13.207027Z","published":"2026-03-26T00:33:27Z","database_specific":{"malicious-packages-origins":[{"versions":["0.12.3"],"source":"google-open-source-security","modified_time":"2026-03-26T00:33:27Z","import_time":"2026-03-26T00:34:45.555936Z","sha256":"6dc5a2428a8b5ce0761da68e9d844924839e8681b388bdd1b8ceea88237e4cfc"},{"versions":["0.12.3"],"source":"amazon-inspector","modified_time":"2026-03-31T02:07:58Z","import_time":"2026-03-31T03:10:13.554998359Z","sha256":"19bbc2729962e719c0df5dd96e17dd7ceb90a0a5506ebb318cc50c19b6fe8bb8"}],"iocs":{"urls":["https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/"],"domains":["litellm.cloud"]}},"references":[{"type":"WEB","url":"https://socket.dev/blog/canisterworm-npm-publisher-compromise-deploys-backdoor-across-29-packages"},{"type":"WEB","url":"https://research.jfrog.com/post/canister-worm/"},{"type":"WEB","url":"https://www.endorlabs.com/learn/canisterworm"}],"affected":[{"package":{"name":"@opengov/form-builder","ecosystem":"npm","purl":"pkg:npm/%40opengov/form-builder"},"versions":["0.12.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@opengov/form-builder/MAL-2026-2210.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}