npm · Malicious package advisory
Malwareo3forms
MAL-2026-5450
Malicious code in o3forms (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4d094d4429f1492bb6b99d802de86b97dc972e06d680a1287846e6d1635fe457)
The package name impersonates the OpenMRS O3 forms ecosystem (legitimate packages are published under the @openmrs/ scope). package.json declares an optionalDependency `o3forms-utils` resolved as `github:core-modules-lab/o3forms-utils#76c1c55` — code fetched directly from GitHub, outside npm registry scanning. index.js (lines 1-4) wraps `require('o3forms-utils')` in a try/catch that silently swallows errors, so the off-registry payload executes on every consumer import with no visible failure if anything goes wrong. The package.json `bin` field maps 11 ubiquitous dev-tool names (webpack, vite, eslint, tsc, next, jest, prettier, nodemon, turbo, ts-node, webpack-cli) all to index.js, so any hoisted invocation of those commands (e.g. `npx webpack`) launches this package's loader and triggers the GitHub fetch+execute. Additional attacker-hygiene tells: version 99.1.99 (version-squat to outrank legitimate releases), `config.unsafe-perm: true` to keep root during npm scripts, and a placeholder `OpenMRS Community Contributor` author with no homepage. Installing or loading this package — or running any of the hijacked dev-tool commands in a project where it is hoisted — executes attacker-controlled code from a mutable GitHub commit.
Compromised versions (2)
- 99.1.99
- 90.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.