MAL-2026-2209

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emilgroup/translation-sdk-node/MAL-2026-2209.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-2209
Published
2026-03-26T00:33:27Z
Modified
2026-03-31T03:21:08.576703Z
Summary
Malicious code in @emilgroup/translation-sdk-node (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c57e1ecf29d7f74f2eaa6c7a75ff66ffc3ddc722a9076bcdc634c9798d578d84)

The package @emilgroup/translation-sdk-node was found to contain malicious code.

Source: google-open-source-security (b15478c01a0b8b57a55108989bba9162234d76bfbcbdeaac01ca3fa265b1d088)

This package was compromised by the CanisterWorm campaign by the TeamPCP threat actor. The malicious payload establishes persistence as user systemd service and places a backdoor on the infected host. The malware will also harvest npm credentials and can autonomously spread.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-03-26T00:33:27Z",
            "versions": [
                "1.1.2",
                "1.1.1"
            ],
            "sha256": "b15478c01a0b8b57a55108989bba9162234d76bfbcbdeaac01ca3fa265b1d088",
            "source": "google-open-source-security",
            "import_time": "2026-03-26T00:34:45.240151Z"
        },
        {
            "modified_time": "2026-03-31T02:07:58Z",
            "versions": [
                "1.1.2",
                "1.1.1"
            ],
            "sha256": "c57e1ecf29d7f74f2eaa6c7a75ff66ffc3ddc722a9076bcdc634c9798d578d84",
            "source": "amazon-inspector",
            "import_time": "2026-03-31T03:10:09.372194963Z"
        }
    ],
    "iocs": {
        "domains": [
            "litellm.cloud"
        ],
        "urls": [
            "https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/"
        ]
    }
}
References
Credits

Affected packages

npm / @emilgroup/translation-sdk-node

Package

Name
@emilgroup/translation-sdk-node
View open source insights on deps.dev
Purl
pkg:npm/%40emilgroup/translation-sdk-node

Affected ranges

Affected versions

1.*
1.1.1
1.1.2

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emilgroup/translation-sdk-node/MAL-2026-2209.json"