Self-propagating malware poisons open source software and wipes Iran-based machines

In an email, Aikido researcher Charlie Eriksen said the canister was taken down Sunday night and is no longer available.

“It wasn’t as reliable/untouchable as they expected,” Eriksen wrote. “But for a while, it would have wiped systems if infected.”

Like previous TeamPCP malware, CanisterWorm, as Aikido has named the malware, targets organizations’ CI/CD pipelines used for rapid development and deployment of software.

“Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector, Eriksen wrote. “Their packages get infected, their downstream users install those, and if any of them have tokens, the cycle repeats.”

As the weekend progressed, CanisterWorm was updated to add an additional payload: a wiper that targets machines exclusively in Iran. When the updated worm infects machines, it checks if the machine is in the Iranian timezone or is configured for use in that country. When either condition was met, the malware no longer activated the credential stealer and instead triggered a novel wiper that TeamPCP developers named Kamikaze. Eriksen said in an email that there’s no indication yet that the worm caused actual damage to Iranian machines, but that there was “clear potential for large-scale impact if it achieves active spread.”