New CanisterWorm Targets Kubernetes Clusters, Deploys “Kamikaze” Wiper

Summary

CanisterWorm, attributed to TeamPCP, is a rapidly spreading malware campaign that exploited compromised npm packages and hijacked developer accounts to infect Kubernetes environments. The malware uses a blockchain-based command-and-control mechanism on the Internet Computer Protocol and deploys a destructive wiper payload called Kamikaze specifically against Kubernetes clusters in Iran's timezone, while acting as a backdoor elsewhere. The campaign also steals SSH keys to laterally move across local networks and masquerades as legitimate database tools using service names like 'pgmon' and 'pgmonitor'.

Full text

Security MalwareNew CanisterWorm Targets Kubernetes Clusters, Deploys “Kamikaze” Wiper CanisterWorm spreads via npm supply chain attack, hijacks developer accounts, targets Kubernetes clusters, and deploys destructive Kamikaze wiper payload. byDeeba AhmedMarch 23, 20262 minute read A fast-moving malware campaign dubbed CanisterWorm is spreading rapidly through developer ecosystems, moving between machines in seconds. First observed on 20 March 2026 at 20:45 UTC, the campaign escalated within 48 hours from credential theft to destructive attacks against Kubernetes environments. The group behind the activity, TeamPCP, seeded malicious code into more than 45 npm packages. Investigators link the campaign to the earlier compromise of Aqua Security’s Trivy scanner, with stolen credentials used to take over maintainer accounts and publish infected updates. Researchers at Aikido Security, who shared details with Hackread.com, report that infected systems are scanned for authentication tokens. These tokens allow attackers to reuse compromised accounts to distribute additional malicious packages. In one instance, 28 packages were hijacked in under a minute. The campaign also introduces a new control mechanism. Instead of traditional infrastructure, it uses a blockchain-based canister on the Internet Computer Protocol to deliver commands. This makes disruption difficult, as there is no central server to seize. What makes this attack truly unusual is its command centre. For the first time, hackers are using a blockchain canister (on the Internet Computer Protocol) to send instructions. “Attackers can take over software distribution… and in some cases wipe infrastructure,” noted Charlie Eriksen, blog author and a security researcher at Aikido Security. Because it is on a decentralised blockchain, the system is incredibly hard for authorities to shut down. The malware follows a simple but brutal logic based on where it is running. While it acts as a silent spy on most systems, it transforms into a destructive wiper when it identifies specific targets. If it detects a Kubernetes network (a system for running apps) located in Iran, specifically Asia/Tehran timezone, it uses a tool called a DaemonSet to force the malware onto every single machine in that network. It then launches a malicious program called Kamikaze to delete all files and crash the system. If the system is outside of Iran, that same tool is used to install the CanisterWorm backdoor instead. If an Iranian computer isn’t part of one of these Kubernetes clusters, the malware tries to wipe the hard drive immediately whereas on systems elsewhere that don’t use these specific cloud tools, the script simply gives up and exits. It is also worth noting that the worm doesn’t require cloud cluster to spread anymore. It can now steal SSH keys (server passwords) to jump between machines on a local network. So, if you are a developer, you should check for any strange services named “pgmon” or “pgmonitor.” These are fake names used to hide the malware by pretending to be a common database tool. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Aqua SecuritybackdoorCanisterWormCyber AttackCybersecurityKubernetesTeamPCP Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Data Breaches Leaks Privacy Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs SUMMARY A recent report from the German news outlet Spiegel has revealed a significant security breach impacting hundreds… byDeeba Ahmed Hacking News Cyber Crime Security Meet “Legion Hacking Group” Hacking Bigwigs of India Legion Hacking Group needs no introduction because this is the same group of hackers that hijacked the Twitter… byUzair Amir Security Malware Microsoft Technology Microsoft Patches 85 Flaws, One Allowed FinFisher Spyware Installation Microsoft Releases Patch for Dangerous .NET Vulnerability in Latest Security Updates. Microsoft has finally patched a vulnerability in… byWaqas Read More Hacking News Cyber Attacks Data Breaches Security AT&T Data Breach: Hackers Steal Call and Text Records for “Nearly All” Customers AT&T confirms a data breach exposing call and text records for “Nearly All” customers from May 2022 to… byWaqas

Indicators of Compromise

• malware — CanisterWorm
• malware — Kamikaze
• malware — TeamPCP
• malware — pgmon
• malware — pgmonitor