Which versions of o3forms are malicious?

The following npm versions of o3forms are flagged malicious: 90.0.0, 99.1.99. Treat any of these as compromised.

How do I remediate o3forms if I installed it?

Remove o3forms from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is o3forms part of a known attack campaign?

Yes — o3forms is associated with the IN-MAL-2026-005065, IN-MAL-2026-005159 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect o3forms in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking o3forms and packages like it before any post-install script runs.

Malicious package

o3formsnpm

Malicious code in o3forms (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5450

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall o3forms

What this malware does

The package name impersonates the OpenMRS O3 forms ecosystem (legitimate packages are published under the @openmrs/ scope). package.json declares an optionalDependency o3forms-utils resolved as github:core-modules-lab/o3forms-utils#76c1c55 — code fetched directly from GitHub, outside npm registry scanning. index.js (lines 1-4) wraps require('o3forms-utils') in a try/catch that silently swallows errors, so the off-registry payload executes on every consumer import with no visible failure if anything goes wrong. The package.json bin field maps 11 ubiquitous dev-tool names (webpack, vite, eslint, tsc, next, jest, prettier, nodemon, turbo, ts-node, webpack-cli) all to index.js, so any hoisted invocation of those commands (e.g. npx webpack) launches this package's loader and triggers the GitHub fetch+execute. Additional attacker-hygiene tells: version 99.1.99 (version-squat to outrank legitimate releases), config.unsafe-perm: true to keep root during npm scripts, and a placeholder OpenMRS Community Contributor author with no homepage. Installing or loading this package — or running any of the hijacked dev-tool commands in a project where it is hoisted — executes attacker-controlled code from a mutable GitHub commit.

Malicious versions

2 flagged

90.0.099.1.99

Indicators of compromise (SHA-256)

4d094d4429f1492bb6b99d802de86b97dc972e06d680a1287846e6d1635fe457

aacfdf714651bb7a6ab33cec3a675e5031157ce336db3f60a800bd7dc0ae5daf

Frequently asked questions

No. o3forms on npm has been identified as a malicious package (versions 90.0.0, 99.1.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005065IN-MAL-2026-005159

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection