MAL-2026-2208

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emilgroup/setting-sdk/MAL-2026-2208.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2208
Published
2026-03-26T00:33:27Z
Modified
2026-03-31T03:21:08.836889Z
Summary
Malicious code in @emilgroup/setting-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (679e8996c56ffd334a5fd610afb087430e91e54ef7371e70ba8ce6170b3b9cf9)

The package @emilgroup/setting-sdk was found to contain malicious code.

Source: google-open-source-security (8024c6ab9e2a90120288605aead40496c0059184b47bec681c39acf7e54c90af)

This package was compromised by the CanisterWorm campaign by the TeamPCP threat actor. The malicious payload establishes persistence as user systemd service and places a backdoor on the infected host. The malware will also harvest npm credentials and can autonomously spread.

Database specific 
{
    "iocs": {
        "domains": [
            "litellm.cloud"
        ],
        "urls": [
            "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2026-03-26T00:34:45.446033Z",
            "sha256": "8024c6ab9e2a90120288605aead40496c0059184b47bec681c39acf7e54c90af",
            "source": "google-open-source-security",
            "modified_time": "2026-03-26T00:33:27Z",
            "versions": [
                "0.2.2",
                "0.2.1",
                "0.2.3"
            ]
        },
        {
            "import_time": "2026-03-31T03:10:06.542640189Z",
            "sha256": "679e8996c56ffd334a5fd610afb087430e91e54ef7371e70ba8ce6170b3b9cf9",
            "source": "amazon-inspector",
            "modified_time": "2026-03-31T02:07:58Z",
            "versions": [
                "0.2.2",
                "0.2.1",
                "0.2.3"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @emilgroup/setting-sdk

Package

Name
@emilgroup/setting-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40emilgroup/setting-sdk

Affected ranges

Affected versions

0.*
0.2.1
0.2.2
0.2.3

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emilgroup/setting-sdk/MAL-2026-2208.json"