privacy

TeamPCP Goes Nuclear: Iran-Targeted Kubernetes Wiper, WAV File Steganography, LAPSUS$ Partnership

The supply chain attackers behind Trivy are now wiping Iranian infrastructure, hiding malware in audio files, and extorting enterprises with help from LAPSUS$.

Circuit board with red warning lights against dark background

TeamPCP, the threat group behind the Trivy vulnerability scanner compromise, has escalated from credential theft to active destruction. Their CanisterWorm malware is now wiping Iranian Kubernetes clusters, and they’ve partnered with the notorious LAPSUS$ extortion group to target enterprises with over 300GB of stolen credentials.

If you use any open-source security tools in your CI/CD pipeline, this affects you.

The Iran-Targeted Wiper: “Kamikaze” Payload

The latest variant of CanisterWorm includes a destructive payload specifically designed to target Iranian infrastructure. Here’s how it works:

The malware runs a four-path decision tree based on two checks: whether the host is inside a Kubernetes cluster, and whether it’s configured for Iran (checking for Asia/Tehran timezone or Farsi locale).

For Iranian Kubernetes clusters: The payload deploys a DaemonSet named host-provisioner-iran with a container called kamikaze. It mounts the host root filesystem, deletes everything at the top level, then forces a reboot. Because the DaemonSet uses tolerations that schedule it across every node—including the control plane—a single deployment command is enough to brick the entire cluster.

For Iranian systems without Kubernetes: The script runs rm -rf / --no-preserve-root, wiping the entire filesystem. If it lacks root privileges, it tries passwordless sudo first, then attempts the command anyway—destroying everything owned by the current user at minimum.

For non-Iranian systems: CanisterWorm stays quietly persistent, stealing credentials and waiting for instructions.

The scope has grown substantially since the initial Trivy compromise. A third variant dropped the Kubernetes dependency entirely and added SSH key theft and exposed Docker API exploitation for lateral movement, scanning local /24 subnets for new targets.

Telnyx Compromise: Malware Hidden in Audio Files

On March 27, TeamPCP compromised the telnyx Python package—a telephony SDK with 742,000 downloads. Versions 4.87.1 and 4.87.2 contained credential-stealing malware hidden using audio steganography.

The technique is clever: rather than hosting a raw executable or base64 blob (which network inspection easily flags), the attacker wraps the payload inside a .WAV file. Python’s wave module reads the audio frame data, but that data isn’t audio—it’s a base64-encoded payload packed into the frame bytes. The decoder XORs the data with a key embedded at the start of the blob to extract the final executable.

If you installed or upgraded telnyx between 03:51 UTC and 10:13 UTC on March 27, assume full compromise. Downgrade to version 4.87.0 immediately.

LAPSUS$ Partnership and Enterprise Extortion

TeamPCP has pivoted from pure credential theft to active extortion, working through approximately 300GB of compressed stolen credentials in collaboration with LAPSUS$. They’re targeting multi-billion-dollar companies.

Mandiant estimates over 1,000 SaaS environments have been impacted, with the number expected to grow to 5,000-10,000. The stolen data includes:

  • AWS and GCP cloud credentials
  • GitHub tokens and SSH keys
  • Kubernetes service account tokens
  • npm publish tokens
  • Docker registry credentials

TeamPCP has been openly boasting about their attacks on Telegram, taking credit for the Trivy compromise, GitHub Actions attacks, OpenVSX extension incident, and PyPI hacks. They’ve stated a clear focus on security tools and high-leverage points within the OSS ecosystem.

The Full Attack Timeline

Here’s how the campaign has unfolded:

  • December 2025: TeamPCP first observed building distributed proxy infrastructure
  • Late February 2026: Attackers exploit Trivy GitHub Actions misconfiguration, extract privileged tokens
  • March 1: Trivy team discloses incident, rotates credentials (incompletely)
  • March 19: TeamPCP force-pushes malicious code to 76 of 77 trivy-action version tags
  • March 20: CanisterWorm campaign begins, infecting 45+ npm packages
  • March 22: Attackers deface all 44 Aqua Security GitHub repositories
  • March 23: Checkmarx KICS GitHub Actions compromised using stolen credentials
  • March 24: LiteLLM poisoned on PyPI (versions 1.82.7, 1.82.8)
  • March 24: Iran-targeted “kamikaze” wiper payload deployed
  • March 27: Telnyx PyPI package compromised with WAV steganography
  • March 28: Self-spreading variant with SSH/Docker lateral movement detected

By March 22, the campaign expanded from 47 packages to 141 malicious artifacts across 66+ unique npm packages.

What You Need to Do

Immediate actions:

  1. Audit all Python packages for telnyx 4.87.1 or 4.87.2, LiteLLM 1.82.7 or 1.82.8. If found, assume full credential compromise.

  2. Check Trivy versions across all CI/CD pipelines. Any workflow that ran compromised versions had every secret in its environment exfiltrated.

  3. Rotate everything: AWS/GCP credentials, GitHub tokens, SSH keys, npm tokens, Docker registry credentials, Kubernetes service account tokens.

  4. Block known IOCs: C2 domain scan.aquasecurtiy.org (note the typo), IP 45.148.10.212, and the CanisterWorm ICP canister address.

  5. Search for tpcp-docs repositories in your GitHub organization—their presence indicates successful exfiltration via the fallback mechanism.

  6. Audit npm dependencies for packages in compromised scopes: @emilgroup, @opengov, @teale.io, @airtm, @pypestream.

If you’re in Iran or operate Iranian infrastructure: Check for the host-provisioner-iran DaemonSet in kube-system. If present, your cluster may already be compromised.

Long-term hardening:

  • Pin GitHub Actions to full SHA hashes, not version tags
  • Use private registries that mirror only verified package versions
  • Run security scanners in isolated environments without production credentials
  • Implement real-time behavioral monitoring—static analysis failed because the malicious code was injected into trusted, signed actions

Why Iran?

The motive remains unclear. While there may be an ideological component—given the current US-Israel-Iran cyber conflict—it could just as easily be a deliberate attention-seeking move. TeamPCP has historically appeared financially motivated, but visibility seems to be becoming a goal in itself.

By going after security tools and targeting Iranian infrastructure simultaneously, they’re sending a clear signal: no one is safe, and they want you to know it.

What This Means

This attack represents a fundamental shift in supply chain threats. TeamPCP compromised a security tool designed to find vulnerabilities and turned it into the vulnerability. They then used that foothold to cascade across the entire OSS ecosystem—npm, PyPI, Docker Hub, VS Code extensions—while simultaneously deploying destructive payloads and partnering with established extortion groups.

The message is clear: your security tools are themselves attack surfaces. Treat them accordingly.