A new hacking group, known as TeamPCP, has been conducting a persistent campaign that spreads a self-propagating backdoor and a data wiper targeting Iranian machines. The worm, which is able to spread via compromised npm packages, infected 28 packages in under 60 seconds by exploiting npm tokens to access publishable packages and inject malicious updates.
The malware uses an uncommon Internet Computer Protocol-based canister to point to changing URLs for control servers, enabling the attackers to swap out destinations as needed; infected machines report to the canister every 50 minutes. A wiper named Kamikaze was added to CanisterWorm to operate only on systems in Iran, with a decision tree that deploys different payloads depending on Kubernetes presence and country configuration.
According to Aikido researcher Charlie Eriksen, there’s no indication yet of actual damage to Iranian machines, but the potential is clear if the worm achieves active spread. The campaign has intensified after a supply-chain compromise of Trivy and Aqua Security, with CanisterWorm also targeting Aqua Security’s Docker Hub and GitHub accounts to publish malicious updates and deface repositories.