Open-source software provides the essential building blocks for modern digital infrastructure. From large-scale cloud environments to everyday business applications, organisations across the globe rely on shared code to maintain efficiency. However, a recent and highly sophisticated campaign by a hacking group known as TeamPCP has exposed the inherent risks within this software supply chain.
By poisoning widely utilised security tools and deploying self-propagating malware, this group has demonstrated how a single point of failure can have international repercussions. While the campaign has most recently focused on deploying a destructive data wiper against machines in Iran, the methods used serve as a critical warning for businesses everywhere.
Who is TeamPCP and What is Their Objective?
TeamPCP is a hacking group that first gained visibility in late 2025. They are distinguished by their exceptional skill in large-scale automation and their ability to integrate various well-known attack techniques into a single, cohesive campaign.
Initially, the group appeared to be driven by financial gain. Their earlier activities involved compromising cloud-hosted platforms to facilitate data exfiltration, ransomware deployment, and cryptocurrency mining. However, their more recent actions suggest a shift in strategy. By targeting high-profile open-source projects and security tools, TeamPCP appears to be seeking maximum visibility, effectively sending a deliberate signal to the global cybersecurity community.
The Trivy Supply Chain Compromise
The most significant escalation in this campaign involved a supply chain attack on Trivy, a popular vulnerability scanner. By gaining unauthorised access to a GitHub account belonging to the creators of the tool, TeamPCP managed to compromise almost every version of the software.
This type of attack is particularly dangerous because it exploits the trust developers place in their security tools. When a team updates their software to ensure they are protected against vulnerabilities, they may unintentionally introduce malicious code into their own environment. In this instance, the compromised tool allowed TeamPCP to spread malware automatically to a vast number of systems with no user interaction required.
CanisterWorm and the Targeting of Iran
The malware deployed by TeamPCP, referred to by researchers as CanisterWorm, is a self-propagating “worm.” Once it gains access to a machine, it can automatically seek out and infect other systems on the network.
As the campaign progressed, the group added a new and destructive component: a data wiper named Kamikaze. This specific payload is programmed to check the configuration of the infected machine. If the malware detects that the machine is set to the Iranian timezone or is configured for use within Iran, it activates a routine that permanently deletes data. While the primary impact of the Kamikaze wiper has been focused on Iran, the underlying worm continues to pose a threat to systems globally by acting as a backdoor for other malicious activities.
Protecting Your Organisation from Supply Chain Risks
The TeamPCP campaign highlights that even the tools designed to protect us can be turned into weapons. To enhance your security posture against such sophisticated threats, you may wish to consider the following strategies:
Secure Administrative Access
If your organisation manages code or uses platforms like GitHub, ensuring that administrative accounts are protected by multi-factor authentication and strong, unique credentials is essential. This can help prevent the type of account takeover that allowed the Trivy compromise to occur.
Audit Third-Party Software Dependencies
It is important to understand which open-source components and third-party tools are integrated into your environment. Regularly auditing these dependencies and monitoring for security advisories can help you respond more quickly to potential supply chain threats.
Monitor Cloud Configurations
TeamPCP has frequently targeted cloud-hosted platforms that are not properly secured. Implementing a rigorous process for auditing cloud permissions and configurations can contribute to a stronger defence against automated scanning and intrusion.
Implement Integrity Verification
Where possible, consider implementing processes to verify the integrity of software updates before they are deployed across your network. This might include checking digital signatures or testing updates in a controlled, isolated environment first.
Professional Guidance from Vertex
The digital landscape is increasingly complex, and the rise of automated, self-propagating threats like those from TeamPCP requires a proactive approach to security. Managing software supply chain risks is a significant challenge for any modern business.
At Vertex, we provide expert assistance to help organisations identify vulnerabilities and improve their overall resilience. Whether you require a comprehensive penetration test to identify potential entry points or a technical audit of your cloud infrastructure, our team of experts is dedicated to helping you protect your valuable data and reputation.
If you are concerned about how supply chain vulnerabilities could affect your business, please contact Vertex Cyber Security for tailored advice and professional support.