MAL-2026-2210

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@opengov/form-builder/MAL-2026-2210.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2210
Published
2026-03-26T00:33:27Z
Modified
2026-03-31T03:21:13.207027Z
Summary
Malicious code in @opengov/form-builder (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (19bbc2729962e719c0df5dd96e17dd7ceb90a0a5506ebb318cc50c19b6fe8bb8)

The package @opengov/form-builder was found to contain malicious code.

Source: google-open-source-security (6dc5a2428a8b5ce0761da68e9d844924839e8681b388bdd1b8ceea88237e4cfc)

This package was compromised by the CanisterWorm campaign by the TeamPCP threat actor. The malicious payload establishes persistence as user systemd service and places a backdoor on the infected host. The malware will also harvest npm credentials and can autonomously spread.

Database specific 
{
    "iocs": {
        "urls": [
            "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/"
        ],
        "domains": [
            "litellm.cloud"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2026-03-26T00:34:45.555936Z",
            "source": "google-open-source-security",
            "sha256": "6dc5a2428a8b5ce0761da68e9d844924839e8681b388bdd1b8ceea88237e4cfc",
            "modified_time": "2026-03-26T00:33:27Z",
            "versions": [
                "0.12.3"
            ]
        },
        {
            "import_time": "2026-03-31T03:10:13.554998359Z",
            "source": "amazon-inspector",
            "sha256": "19bbc2729962e719c0df5dd96e17dd7ceb90a0a5506ebb318cc50c19b6fe8bb8",
            "modified_time": "2026-03-31T02:07:58Z",
            "versions": [
                "0.12.3"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @opengov/form-builder

Package

Name
@opengov/form-builder
View open source insights on deps.dev
Purl
pkg:npm/%40opengov/form-builder

Affected ranges

Affected versions

0.*
0.12.3

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@opengov/form-builder/MAL-2026-2210.json"