opengov-form-builder
@opengov/form-builder CanisterWorm npm Backdoor
TeamPCP's CanisterWorm campaign backdoored @opengov/form-builder 0.12.3 after npm publishing credentials were stolen through the second Trivy compromise. The malicious release added a postinstall payload that installed a persistent Python implant and polled an Internet Computer canister C2. The worm harvested npm publishing tokens, enumerated packages the victim could publish, bumped patch versions, injected the same payload, and republished with the latest tag. Follow-on capability included Kubernetes DaemonSet deployment that varied by geolocation and cluster context.
- Date
- 2026-03-21
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Package
opengov-form-builder
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
npmjs.com/package/@opengov/form-builder
Compromised Versions
Incident Context
- Motive
- Credential Theft/Self-Propagation
- Attribution
- Advanced Persistent Threat
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 0 days
Evidence
Compromised Artifacts
Indicators and Changes
Hashes
sha256:6dc5a2428a8b5ce0761da68e9d844924839e8681b388bdd1b8ceea88237e4cfc
External References
Source Data
Source record: oss/opengov-form-builder/meta.yaml