A rapidly spreading malware campaign called CanisterWorm has been infecting developer environments through over 45 compromised npm packages, with the ability to move between machines within seconds. The operation, attributed to a group known as TeamPCP, escalated from credential theft to destructive attacks against Kubernetes clusters within 48 hours of initial observation on March 20, 2026. Attackers gained access through stolen credentials from Aqua Security's Trivy scanner, enabling them to take over maintainer accounts and publish malicious updates.
The malware introduces a novel command-and-control mechanism using a blockchain-based canister on the Internet Computer Protocol, making takedown efforts exceptionally difficult. When CanisterWorm identifies systems in Iranian Kubernetes environments, particularly those in the Asia/Tehran timezone, it deploys a wiper component called Kamikaze that deletes files and crashes systems. Outside Iran, the malware installs a backdoor rather than destructive payloads, while systems without Kubernetes infrastructure see the malware simply exit.
The worm has evolved beyond cloud clusters and now spreads through stolen SSH keys to move laterally across local networks. Security researchers at Aikido Security report that attackers hijacked 28 packages in under one minute during the campaign. Developers are advised to check for suspicious services named "pgmon" or "pgmonitor," which are used to disguise the malware as legitimate database tools. The campaign represents a significant evolution in supply chain attacks, combining rapid propagation with geographically targeted destructive capabilities.
Read more...