TeamPCP Worm Poisons Open Source npm Packages, Deploys Kamikaze Wiper Against Iranian Machines
A hacking group called TeamPCP has been conducting a relentless campaign combining self-propagating malware, supply-chain attacks on open-source tools (including the widely-used Trivy scanner), and a country-specific data wiper targeting Iranian machines.
The Campaign
Supply Chain Attack on Trivy
TeamPCP gained privileged access to Aqua Security's GitHub account and compromised virtually all versions of the Trivy vulnerability scanner.
CanisterWorm
The worm uses an Internet Computer Protocol-based canister (tamper-proof smart contract) as its C2 mechanism:
- Automatically spreads through npm packages using stolen tokens
- Targeted 28 packages in less than 60 seconds
- Compromised CI/CD pipelines become propagation vectors
Kamikaze Wiper
The worm checks if machines are in Iran's timezone or configured for Iranian use:
- Kubernetes + Iran: Wipe every node in cluster
- Kubernetes + elsewhere: Install backdoor on every node
- No Kubernetes + Iran: rm -rf / (full disk wipe)
- No Kubernetes + elsewhere: Exit, nothing happens
The Iran Puzzle
TeamPCP was previously financially motivated. The Iranian wiper has no clear monetary profit, leading researchers to speculate about ideological motives or an attention-seeking strategy.
Source: Ars Technica, Aikido research