MAL-2026-2203

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emilgroup/discount-sdk-node/MAL-2026-2203.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2203
Published
2026-03-26T00:33:27Z
Modified
2026-03-31T03:23:00.717777Z
Summary
Malicious code in @emilgroup/discount-sdk-node (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (98b66c2b21da822102c367293fd9acc95e864afb9bb8ddebcb3ac0d49ccf583e)

The package @emilgroup/discount-sdk-node was found to contain malicious code.

Source: google-open-source-security (241c16fb6a43caac88967c2615d54ef5ed36d03c39011c741aa9f90d5f51cd1e)

This package was compromised by the CanisterWorm campaign by the TeamPCP threat actor. The malicious payload establishes persistence as user systemd service and places a backdoor on the infected host. The malware will also harvest npm credentials and can autonomously spread.

Database specific
{
    "iocs": {
        "domains": [
            "litellm.cloud"
        ],
        "urls": [
            "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "google-open-source-security",
            "sha256": "241c16fb6a43caac88967c2615d54ef5ed36d03c39011c741aa9f90d5f51cd1e",
            "import_time": "2026-03-26T00:34:45.415939Z",
            "modified_time": "2026-03-26T00:33:27Z",
            "versions": [
                "1.5.1",
                "1.5.2"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "98b66c2b21da822102c367293fd9acc95e864afb9bb8ddebcb3ac0d49ccf583e",
            "import_time": "2026-03-31T03:10:11.289327557Z",
            "modified_time": "2026-03-31T02:07:58Z",
            "versions": [
                "1.5.1",
                "1.5.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @emilgroup/discount-sdk-node

Package

Name
@emilgroup/discount-sdk-node
View open source insights on deps.dev
Purl
pkg:npm/%40emilgroup/discount-sdk-node

Affected ranges

Affected versions

1.*
1.5.1
1.5.2

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emilgroup/discount-sdk-node/MAL-2026-2203.json"