24Mar, 2026
How TeamPCP’s Malware Targets Open Source Software

Recently, a new hacking group named TeamPCP has emerged as a major threat in the cybersecurity landscape. This group has developed self-propagating malware that specifically targets open source software and machines based in Iran. The implications of this malware are significant for developers and organizations relying on these technologies.

Open source software vulnerabilities

TeamPCP first gained attention in December 2025 when security researchers noticed its activities. The group unleashed a worm that exploited poorly secured cloud-hosted platforms. Their goal was to create a distributed proxy system for data exfiltration, ransomware deployment, and cryptocurrency mining. This highlights the group’s advanced skills in automating large-scale attacks.

Key takeaways

  • TeamPCP targets open source software, posing risks to developers.
  • The malware can spread automatically without user interaction.
  • It includes a wiper that specifically targets Iranian machines.
  • Organizations should check their networks for potential infections.

Recently, TeamPCP escalated its campaign by compromising the Trivy vulnerability scanner. They gained access to Aqua Security’s GitHub account, allowing them to inject malicious code into widely used packages. This supply-chain attack demonstrates how vulnerable even established tools can be if not properly secured.

Malware attack concept

The malware, named CanisterWorm by researchers, operates using a unique mechanism designed to be tamper-proof

. It employs an Internet Computer Protocol-based canister that directs infected machines to constantly changing URLs for malicious binaries. This allows TeamPCP to maintain control over the worm even after initial defenses are put in place.

In addition, CanisterWorm features a wiper called Kamikaze that activates only on machines located in Iran. If it detects an Iranian timezone or configuration, it triggers destructive commands aimed at wiping data. While there have been no confirmed reports of damage yet, the potential for widespread impact is alarming.

What organizations should do

Organizations using CI/CD pipelines should take immediate action. They must ensure their npm tokens are secure and monitor for any signs of infection from TeamPCP’s malware. Regularly updating credentials and reviewing access permissions can help mitigate risks associated with such attacks.

The ongoing situation with TeamPCP serves as a critical reminder of the importance of cybersecurity in today’s digital landscape. Developers must remain vigilant against evolving threats targeting their tools and infrastructure.

Frequently Asked Questions

  • What is TeamPCP? TeamPCP is a hacking group known for deploying sophisticated malware targeting open-source software.
  • How does CanisterWorm spread? It spreads automatically through compromised npm tokens without requiring user interaction.
  • What should organizations do? Organizations should secure their CI/CD pipelines and monitor for signs of infection.

Sources

For the original report, see the source article.