VDB

GCVE-110-OSM-2026-1104

GCVE-110-OSM-2026-1104
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 20, 2026
Compromised npm package part of the CanisterWorm campaign (TeamPCP). Attacker gained publisher credentials and injected a backdoor via postinstall hook that polls an ICP canister C2 (tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io) for second-stage payloads, drops a Python implant to ~/.local/share/pgmon/service.py with systemd persistence, and worm-propagates by republishing malicious versions across all accessible packages. === PAYLOAD 1: Install Hook === Malicious payload found in: index.js (postinstall hook) Behavior: Executes backdoor code on npm install === PAYLOAD 2: ICP Canister C2 === C2 URL: https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/ Behavior: Polls ICP blockchain canister every 50 minutes for second-stage binary URL === PAYLOAD 3: Persistence Implant === Implant path: ~/.local/share/pgmon/service.py Systemd service: ~/.config/systemd/user/pgmon.service Staging: /tmp/pglog (downloaded binary), /tmp/.pg_state (tracking) Behavior: Downloads binary to /tmp/pglog, persists via systemd --user as pgmon service === PAYLOAD 4: Worm Propagation === Malicious payload found in: scripts/deploy.js Behavior: Harvests .npmrc tokens and republishes malicious versions with --tag latest across all accessible packages

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@teale.io/eslint-configall (affected)

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›