Self-Propagating TeamPCP Malware Poisoning OSS, Wiping Iranian Machines

The article explains TeamPCP, a group that spreads a backdoor and an Iran‑focused wiper. Researchers first saw the campaign when a worm attacked insecure cloud hosts to create a network for stealing data and delivering ransomware.

The attackers broke into Aqua’s GitHub, took over the Trivy scanner, and used an npm token to publish malicious updates to packages.

The malware, called CanisterWorm, contacts a contract canister to get command URLs and checks in with its controller. One version also includes the Kamikaze payload, which wipes machines in the Iranian time zone while installing a backdoor.

The author notes that the group is seeking more notoriety and advises developers to look for signs of infection and to rotate any credentials that may have been compromised.