Ethical Hacking News
TeamPCP has launched a new wave of devastating malware on the Internet, targeting organizations' CI/CD pipelines and software repositories managed by npm. The attack, dubbed CanisterWorm, has significant implications for development organizations and highlights TeamPCP's relentless pursuit of compromising infrastructure and stealing sensitive information.
TeamPCP has launched a new wave of devastating malware called CanisterWorm that targets organizations' CI/CD pipelines and software repositories managed by npm. The attack begins with a supply-chain compromise of Trivy, a widely used vulnerability scanner, and exploits Aqua Security's GitHub account to distribute the malicious update. CanisterWorm spreads potent malware that can spread automatically, targeting 28 packages in less than 60 seconds, and has the potential for large-scale impact if it achieves active spread. The attack highlights TeamPCP's evolution from financially motivated attacks to an ideological component, targeting security tools and open-source projects. Continuous access to sensitive infrastructure suggests incomplete containment of the initial breach.
TeamPCP, a hacking group that has gained notoriety in recent months for its relentless campaign against organizations and individuals alike, has once again demonstrated its cunning and sophistication by unleashing a new wave of devastating malware on the Internet. The latest attack, dubbed CanisterWorm, targets organizations' CI/CD pipelines used for rapid development and deployment of software, with the goal of compromising servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency.
The attack began with a supply-chain compromise of Trivy, a widely used vulnerability scanner, which was made possible by a previous compromise of Aqua Security's GitHub account in late February. Although the company's incident response was intended to replace all compromised credentials, the rotation was incomplete, allowing TeamPCP to take control of the GitHub account for distributing the vulnerability scanner. The group then compromised Aqua Security's Docker Hub account and published two malicious updates for the scanner.
The attack took a dramatic turn over the weekend when researchers from security firm Aikido observed CanisterWorm spreading potent malware that was also worm-enabled, meaning it had the potential to spread to new machines automatically, with no interaction required of victims behind the keyboard. The malware scours compromised machines for access tokens to the npm repository and compromises any publishable packages available by creating a new version laced with the malicious code. Aikido observed the worm targeting 28 packages in less than 60 seconds.
The latest CanisterWorm attack is notable not only for its technical sophistication but also for its potential consequences. The group's targeting of organizations' CI/CD pipelines and machines could have significant repercussions, particularly if the malware achieves active spread. According to Aikido researcher Charlie Eriksen, there is "clear potential for large-scale impact if it achieves active spread."
Furthermore, the attack highlights TeamPCP's evolution as a group that is no longer solely motivated by financial gain. While the group's previous attacks were aimed at stealing sensitive information and extorting money from its victims, the latest CanisterWorm campaign seems to have an ideological component. Eriksen noted that "historically, TeamPCP has appeared to be financially motivated, but there are signs that visibility is becoming a goal in itself." The group appears to be sending a clear and deliberate signal by targeting security tools and open-source projects.
The hack that keeps on giving
In addition to the CanisterWorm attack, researchers from security firm Socket observed that TeamPCP's continuous access to sensitive infrastructure following the initial breach of Aqua Security suggests incomplete containment. "This is also consistent with the attacker's continued access following the initial breach, including the ability to publish malicious Trivy images (v0.69.5 and v0.69.6) to Docker Hub and expose internal Aqua repositories," Socket wrote in an email.
The ongoing control over release infrastructure highlights TeamPCP's skill in large-scale automation and integration of well-known attack techniques. The group's ability to spread malware through sensitive developer pipelines and machines represents a serious escalation of its campaign to steal as many credentials as possible. Development organizations should realize that they may have been affected without knowing it.
The CanisterWorm campaign has significant implications for organizations that use CI/CD pipelines and software repositories managed by npm. According to Aikido, these organizations can take steps to determine if they have been targeted or compromised. "Both Aikido and Socket have published indicators that these organizations can use to determine if they have been targeted or compromised," Eriksen said.
In conclusion, TeamPCP's latest attack highlights the group's relentless pursuit of compromising organizations' infrastructure and stealing sensitive information. The CanisterWorm campaign is a significant escalation of the group's previous attacks, with potential consequences that could be devastating for organizations targeted by the malware.
TeamPCP has launched a new wave of devastating malware on the Internet, targeting organizations' CI/CD pipelines and software repositories managed by npm. The attack, dubbed CanisterWorm, has significant implications for development organizations and highlights TeamPCP's relentless pursuit of compromising infrastructure and stealing sensitive information.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-TeamPCP-A-Persistent-Campaign-of-Devastating-Consequences-ehn.shtml
https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/
https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/
https://www.itnews.com.au/news/teampcp-hackers-deface-aqua-securitys-internal-github-624527
https://aitoolly.com/ai-news/article/2026-03-22-trivy-security-incident-reports-flagged-as-dead-on-hacker-news-platform
Published: Tue Mar 24 10:44:11 2026 by llama3.2 3B Q4_K_M
