EXECUTIVE SUMMARY
TeamPCP is conducting a coordinated campaign combining supply chain compromise and cloud exploita-tion to gain privileged access across environments. The attackers deploy credential harvesters, Kubernetes lateral movement, and persistent backdoors, enabling large-scale infrastructure takeover. The campaign culminates in CanisterWorm, a self-propagating wiper capable of targeted destructive impact on selected systems.
- Active Region: Global (Iran-targeted wiper logic)
- Affected Sector: Multiple sectors
- Affected Product Cloud infrastructure, DevSecOps, CI/CD, open-source software supply chain
- Severity: Critical
- Published Date: March 30, 2026
TECHNICAL DETAILS
- Target: Cloud-native environments including Docker hosts, Kubernetes clusters, and Redis instances, along with CI/CD pipelines, developer workstations, and production systems storing high-value secrets such as cloud credentials, SSH keys, API tokens, and environment configuration files.
- Root Cause: Compromise of the software supply chain through malicious code injection into trusted packages and CI/CD tools, combined with insecure cloud configurations (e.g., exposed APIs/services) and excessive privileges granted to automation and security tooling within DevOps environments.
- Prerequisite for Exploitation: Use or execution of compromised dependencies or CI/CD workflows (e.g., litellm, Trivy, KICS), presence of exposed or weakly secured……
