Self-propagating malware poisons open-source packages

A self-propagating malware campaign has poisoned open-source software and introduced a destructive payload that targets systems configured for Iran, according to Ars Technica. Researchers tracking the group—dubbed TeamPCP—say the operation evolved from opportunistic cloud compromises into a supply-chain attack that briefly affected “virtually all versions” of Trivy, a widely used vulnerability scanner, after attackers gained privileged access to a GitHub account at Aqua Security.

The mechanics matter because they exploit how modern software is built: by assembling dependencies rather than writing everything from scratch. After infecting a machine, the worm searches for npm repository access tokens and then publishes new versions of any packages that token can modify, embedding the malicious code into the update stream. Security firm Aikido observed the worm targeting 28 packages in under a minute. In effect, each compromised developer environment or CI/CD pipeline becomes a distribution channel.

TeamPCP also used an unusual control mechanism designed to resist takedowns: an Internet Computer Protocol “canister,” described as a smart-contract-like component that could direct infected systems to shifting URLs hosting malicious binaries. Infected machines phoned home to the canister roughly every 50 minutes. Aikido said the canister was later taken down, undercutting the attackers’ attempt to make command-and-control infrastructure hard to disrupt.

As the weekend progressed, the malware gained a second personality. On systems set to the Iranian timezone or otherwise configured for use in Iran, the worm switched from credential theft to destruction, deploying a payload the developers called “Kamikaze.” In Kubernetes environments, it could deploy a DaemonSet to wipe every node in a cluster; outside Kubernetes, it could attempt a blunt-force deletion of the filesystem. Researchers said they have not yet confirmed real-world damage, but the code path was explicit.

The episode highlights a structural weakness in open-source supply chains: the ecosystem assumes that package publishers and their accounts will remain uncompromised, and that downstream users will update quickly because updates are usually good. Attackers have learned to treat that trust as a distribution network. The more automated the pipeline—continuous integration, automated dependency updates, container builds—the less human friction exists to stop a malicious release.

It also shows how geopolitical intent can be embedded in code without passing through legislatures, sanctions agencies, or courts. A wiper that checks for an Iranian configuration is a policy decision executed at machine speed, with no appeal process and no way for an ordinary developer to predict whether a dependency update will carry a political payload.

Trivy is used to find vulnerabilities. For a brief window, updating it could have been the vulnerability.