A new hacking group identified as TeamPCP has been engaging in persistent campaigns targeting open source software. The group initially leveraged a worm that exploited cloud-hosted platforms and built infrastructure for further attacks. More recently, the group deployed CanisterWorm, a self-propagating malware capable of spreading autonomously via npm packages.
CanisterWorm was observed compromising virtually all versions of Trivy vulnerability scanner after gaining access to Aqua Security's GitHub account. The worm then spread by harvesting credentials from affected machines and infecting publishable packages. This mechanism allowed the malware to propagate rapidly, making it difficult for security teams to contain.
Later, CanisterWorm received an additional payload: a wiper named Kamikaze specifically designed to target Iranian machines. The malware checks if infected systems are in Iran's timezone or configured accordingly before executing its destructive payload. While no actual damage has been reported yet, the potential for large-scale impact remains high due to the worm's capabilities.
The group’s use of advanced tactics and automation highlights the evolving threat landscape, necessitating continuous vigilance from security professionals.