A new hacking group called TeamPCP has been actively deploying self-propagating malware through the open source ecosystem. In late December, researchers at Flare observed that TeamPCP was exploiting unsecured cloud-hosted platforms to establish a distributed infrastructure for data exfiltration, ransomware deployment, and cryptocurrency mining purposes.
More recently, the group conducted a supply-chain attack on Trivy, a widely used vulnerability scanner developed by Aqua Security. By compromising the GitHub account of Trivy's creator, TeamPCP was able to spread potent malware across virtually all versions of the software. This worm had the capability to automatically propagate to new machines without user interaction, making it highly effective.
The malware, known as CanisterWorm due to its unique control mechanism based on Internet Computer Protocol canisters, was designed to be tamper-proof and difficult for third parties to disrupt. These canisters allowed TeamPCP to update the worm's command servers at any time, ensuring continuous updates. However, researchers discovered that one such canister had been taken down over the weekend, reducing its reliability.
In a recent development, CanisterWorm was updated with an additional payload specifically targeting machines in Iran. The malware checks if infected systems are located in Iranian time zones or configured for use there; upon detection, it triggers a destructive payload named Kamikaze, which has the potential to wipe entire Kubernetes clusters.
While TeamPCP's activities have not yet caused actual damage, they pose significant risks given their sophistication and rapid spread through open source ecosystems. This campaign highlights the growing threat of self-propagating malware via supply chains and underscores the need for robust security measures in CI/CD pipelines and open source software development.