TeamPCP has started a new campaign that will hurt cloud environments This article explores attack trivy vulnerability. . The group is trying to get involved in ongoing geopolitical conflicts by releasing "CanisterWorm."

The worm deletes files on systems that are infected and are either in Iran or set up to use Farsi as the default language. The worm spreads by taking advantage of cloud services that aren't well protected, which makes an already dangerous threat actor even more dangerous. On March 19, TeamPCP launched a major supply chain attack against Trivy, a vulnerability scanner that Aqua Security runs. The attackers put malware that steals credentials into official GitHub actions releases.

After breaking into Aqua Security, Krebs on Security also took over GitHub accounts to send spam messages. This was probably done to keep their bad code packages at the top of search results.

This is the second major attack on the supply chain that Trivy has been involved in in the past few months, after HackerBot-Claw. People who are part of Team PCP have been bragging about what they've done on Telegram, saying that they've stolen a lot of sensitive data from big companies, including a multinational pharmaceutical company. After getting into the victim's networks, the attackers tried to move laterally through them to steal authentication information and blackmail victims using the Telegram messaging app.

If the wiper finds an Iranian target that can access a Kubernetes cluster, it wipes out all the data on all the nodes in that cluster. If a victim can't get to the cluster, the malware just wipes the local machine and doesn't spread.

If the user's timezone and locale match those of Iran, the malware will launch a wiper attack.