MAL-2026-2212

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@opengov/qa-record-types-api/MAL-2026-2212.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2212
Published
2026-03-26T00:33:27Z
Modified
2026-03-31T03:21:09.158591Z
Summary
Malicious code in @opengov/qa-record-types-api (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0be39ed161d642824f2ce1f8511e03759918909ba0218265174294129a172d01)

The package @opengov/qa-record-types-api was found to contain malicious code.

Source: google-open-source-security (03f7d81caa0f24d641f08ec69b5bb5e3985ea05e1e92e6f7a6db24eb521de525)

This package was compromised by the CanisterWorm campaign by the TeamPCP threat actor. The malicious payload establishes persistence as user systemd service and places a backdoor on the infected host. The malware will also harvest npm credentials and can autonomously spread.

Database specific 
{
    "iocs": {
        "urls": [
            "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/"
        ],
        "domains": [
            "litellm.cloud"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2026-03-26T00:34:45.490178Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "03f7d81caa0f24d641f08ec69b5bb5e3985ea05e1e92e6f7a6db24eb521de525",
            "source": "google-open-source-security",
            "modified_time": "2026-03-26T00:33:27Z"
        },
        {
            "import_time": "2026-03-31T03:10:10.578345586Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "0be39ed161d642824f2ce1f8511e03759918909ba0218265174294129a172d01",
            "source": "amazon-inspector",
            "modified_time": "2026-03-31T02:07:58Z"
        }
    ]
}
References
Credits

Affected packages

npm / @opengov/qa-record-types-api

Package

Name
@opengov/qa-record-types-api
View open source insights on deps.dev
Purl
pkg:npm/%40opengov/qa-record-types-api

Affected ranges

Affected versions

1.*
1.0.3

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@opengov/qa-record-types-api/MAL-2026-2212.json"