Open Source 2026-03-21 · 0 days ·Credential Theft, Self Propagation

OpenGov form builder carried CanisterWorm

@opengov/form-builder 0.12.3 added a postinstall backdoor during TeamPCP's CanisterWorm campaign. The worm used npm tokens stolen through the second Trivy compromise.

Story

On March 21, 2026, a self-spreading npm worm that StepSecurity christened CanisterWorm reached the @opengov namespace and republished @opengov/form-builder with a backdoor. The compromised release, 0.12.3, was one of a series of packages the worm rewrote that week using npm publishing tokens stolen days earlier in the second compromise of the Trivy scanner.

StepSecurity attributed the activity to the threat actor it tracks as TeamPCP. According to the firm's writeup, malicious Trivy tooling harvested CI/CD environment variables and runner process memory through /proc/<pid>/mem, and the resulting npm credentials became the worm's propagation fuel. Anywhere a stolen token could reach, CanisterWorm enumerated the account's packages, bumped a patch version, and pushed a backdoored release.

The diff in @opengov/form-builder was straightforward. Earlier releases carried no lifecycle script; 0.12.3 added "postinstall": "node index.js", giving the package code execution at install time, before any application code ran. The JavaScript loader carried a base64-encoded Python implant that wrote ~/.local/share/pgmon/service.py, registered a user-level systemd unit at ~/.config/systemd/user/pgmon.service with Restart=always, and polled an Internet Computer canister at tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io for commands. A propagation component scanned npm configuration and environment variables for any further publish tokens and used them to keep the worm moving.

This record covers the @opengov/form-builder artifact. The broader Trivy credential theft, self-propagation behavior, and destructive Kubernetes payloads sit on the TeamPCP campaign page.

Affected Artifacts

@opengov/form-builder

npm · repository · Source Archive

Observed: 2026-03-21
Compromised Versions: 0.12.3
Fixed: Not listed
Hashes: sha256:6dc5a2428a8b5ce0761da68e9d844924839e8681b388bdd1b8ceea88237e4cfc
Evidence: distribution: npmjs.com/package/@opengov/form-builder/v/0.12.3, file: index.js, file: ~/.local/share/pgmon/service.py, file: ~/.config/systemd/user/pgmon.service , +2 more

Incident Context

Motive: Credential Theft Self Propagation
Attribution: Group
Cause: Compromised Account Credentials
Transitive: Yes
Actor: Advanced Persistent Threat

External References

CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystemstepsecurity.io
Malicious code in @opengov/form-builderosv.dev
Trivy Compromised a Second Timestepsecurity.io

Source record: oss/attacks/opengov-form-builder/meta.yaml