VDB

GCVE-110-OSM-2026-1096

GCVE-110-OSM-2026-1096
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 20, 2026
Compromised npm package part of the CanisterWorm campaign (TeamPCP). Attacker gained publisher credentials and injected a backdoor via postinstall hook that polls an ICP canister C2 (tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io) for second-stage payloads, drops a Python implant to ~/.local/share/pgmon/service.py with systemd persistence, and worm-propagates by republishing malicious versions across all accessible packages. === PAYLOAD 1: Install Hook === Malicious payload found in: index.js (postinstall hook) Behavior: Decodes base64 Python backdoor, writes to ~/.local/share/pgmon/service.py, creates systemd user service pgmon.service === PAYLOAD 2: ICP Canister C2 === C2 URL: https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/ Behavior: Polls ICP blockchain canister every 50 minutes for second-stage binary URL. Kill switch: skips URLs containing youtube.com === PAYLOAD 3: Persistence Implant === Implant path: ~/.local/share/pgmon/service.py Systemd service: ~/.config/systemd/user/pgmon.service Staging: /tmp/pglog (downloaded binary), /tmp/.pg_state (tracking) Behavior: Downloads binary to /tmp/pglog, chmod 755, executes detached. 5-min initial sleep. === PAYLOAD 4: Worm Propagation === Malicious payload found in: scripts/deploy.js Behavior: Harvests npm tokens from ~/.npmrc, .npmrc, /etc/npmrc, and NPM_TOKEN/NPM_TOKENS env vars. Enumerates all packages for each token owner. Bumps patch version and republishes with --tag latest. === FILE HASHES (SHA256) === index.js Wave 1 (dry run): e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b index.js Wave 2 (armed): 61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba index.js Wave 3 (self-propagating test): 0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a index.js Wave 4 (final): c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926 deploy.js Wave 1: f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152 deploy.js Wave 2: 7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7 deploy.js Wave 3+: 5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowneslint-config-service-usersall (affected)

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›