A cybercrime group called TeamPCP has deployed a wiper worm dubbed CanisterWorm that targets cloud infrastructure and destroys data on systems configured with Iran's timezone or Farsi locale. The group previously compromised Aqua Security's Trivy vulnerability scanner via a GitHub Actions supply chain attack, stealing SSH keys, cloud credentials, Kubernetes tokens, and crypto wallets. TeamPCP uses Internet Computer Protocol (ICP) blockchain canisters to orchestrate attacks, making their infrastructure resistant to takedown. The wiper, if it detects an Iranian environment with Kubernetes access, destroys data across all cluster nodes. Security researchers note the group is financially motivated but appears to be using the Iran-targeting angle partly for notoriety, and experts warn that GitHub's malware problem is growing as supply chain attacks increase in frequency.
Sort: