{"id":"MAL-2026-2204","summary":"Malicious code in @emilgroup/numbergenerator-sdk-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fb683bd2b58170dd475a632d83ded202109e3d58609bbc2952c83baa19c6f3b3)\nThe package @emilgroup/numbergenerator-sdk-node was found to contain malicious code.\n\n## Source: google-open-source-security (90100100e437bb02e8199a8991ba3bfcca6766a5e9e821cc29d31940ce1b5b5e)\nThis package was compromised by the CanisterWorm campaign by the TeamPCP\nthreat actor. The malicious payload establishes persistence as user systemd\nservice and places a backdoor on the infected host. The malware will also\nharvest npm credentials and can autonomously spread.\n","modified":"2026-03-31T03:23:22.162965Z","published":"2026-03-26T00:33:27Z","database_specific":{"iocs":{"domains":["litellm.cloud"],"urls":["https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io/"]},"malicious-packages-origins":[{"versions":["1.3.1","1.3.2","1.3.3"],"sha256":"90100100e437bb02e8199a8991ba3bfcca6766a5e9e821cc29d31940ce1b5b5e","modified_time":"2026-03-26T00:33:27Z","source":"google-open-source-security","import_time":"2026-03-26T00:34:45.425918Z"},{"versions":["1.3.1","1.3.2","1.3.3"],"sha256":"fb683bd2b58170dd475a632d83ded202109e3d58609bbc2952c83baa19c6f3b3","modified_time":"2026-03-31T02:07:58Z","source":"amazon-inspector","import_time":"2026-03-31T03:10:11.925190918Z"}]},"references":[{"type":"WEB","url":"https://socket.dev/blog/canisterworm-npm-publisher-compromise-deploys-backdoor-across-29-packages"},{"type":"WEB","url":"https://research.jfrog.com/post/canister-worm/"},{"type":"WEB","url":"https://www.endorlabs.com/learn/canisterworm"}],"affected":[{"package":{"name":"@emilgroup/numbergenerator-sdk-node","ecosystem":"npm","purl":"pkg:npm/%40emilgroup/numbergenerator-sdk-node"},"versions":["1.3.1","1.3.2","1.3.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emilgroup/numbergenerator-sdk-node/MAL-2026-2204.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}