A new hacking group, TeamPCP, has launched a persistent campaign that spreads a self-propagating backdoor and a data-wiper aimed at Iran-based machines. The operation first drew attention in December when researchers from security firm Flare observed a worm targeting cloud platforms that weren’t properly secured. The attackers sought to build a distributed proxy and scanning network to breach servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. TeamPCP is noted for high levels of automation and the fusion of well-known attack techniques.
In recent activity, TeamPCP waged a relentless campaign with continually evolving malware that broadened its reach. Late last week, it gained privileged access to Aqua Security’s GitHub account and compromised the Trivy vulnerability scanner in what researchers described as a supply-chain attack. Over the weekend, investigators observed the worm spreading to npm packages: after infection, it hunted for access tokens and injected malicious code into packages. At one point, a single operator activity infected 28 packages in under a minute, with later versions removing manual spread requirements.
The worm’s command and control relied on an Internet Computer Protocol–based canister, a self-enforcing mechanism designed to be resistant to takedown. The canister supplied attackers with changing URLs for hosts carrying the malicious binaries, and infected machines phoned the canister about every 50 minutes to fetch updates and relay status.
Over the weekend, analysts noted a new payload: a data-wiper targeting Iran. When a infected host matched the Iranian timezone or was configured for Iranian deployment, the malware would trigger Kamikaze, a wipe module. While researchers said there was potential for wide damage if the wiper spreads, there is no public evidence yet that Iranian machines were actually wiped, and the canister was reportedly taken down after discovery.
Security teams are urged to review networks for signs of TeamPCP activity, rotate credentials used by CI/CD and package registries, and scrutinize npm tokens and publish permissions. Experts advise tightening supply-chain controls and monitoring for anomalous package versions, as well as following advisories from researchers tracking TeamPCP’s campaigns. Development shops should run network and code-supply checks to detect and contain infections early.
