CanisterWorm malware represents a dangerous escalation in supply chain attacks, spreading through compromised npm packages while using Internet Computer Protocol blockchain canisters as a tamperproof command-and-control server. The self-propagating worm, attributed to cybercrime group TeamPCP, first appeared in late 2025 and has evolved from credential theft into a geopolitically targeted destructive attack. What makes CanisterWorm particularly alarming is not just its technical sophistication, but its willingness to destroy rather than steal—a shift that suggests either a dramatic change in attacker motivation or a calculated injection into broader geopolitical tensions.
Key Takeaways
- CanisterWorm spreads via npm supply chain, compromising over 45 packages including Aqua Security’s Trivy scanner
- Uses Internet Computer Protocol canisters as blockchain-based C2 infrastructure resistant to takedown
- Targets Iranian systems with destructive Kamikaze wiper that deletes files and force-reboots Kubernetes nodes
- First destructive payload observed March 20-22, 2026, after months of reconnaissance and backdoor deployment
- Detects Iran via timezone and locale checks, deploying different payloads for Iranian versus non-Iranian targets
How CanisterWorm spreads through npm and cloud infrastructure
CanisterWorm’s distribution mechanism exploits the trust placed in open-source package repositories. The malware compromised more than 45 npm packages, with a particularly brazen attack in December 2025 targeting Aqua Security’s Trivy vulnerability scanner—a tool trusted by organizations worldwide for container security. Attackers used stolen credentials to hijack 28 packages in under a minute, demonstrating both speed and sophistication. The worm then propagates through misconfigured cloud services: Docker APIs listening on port 2375, Kubernetes clusters, Redis servers, and CI/CD pipelines that lack proper network segmentation.
Once inside a network, CanisterWorm performs aggressive lateral movement. It parses SSH authentication logs to extract private keys, scans local subnets for exposed Docker APIs, and uses Cloudflare tunnel domains to deliver payloads while evading direct network inspection. This multi-vector approach means a single misconfigured service can become an entry point for network-wide compromise. The worm does not require user interaction—it spreads automatically through automation and infrastructure vulnerabilities.
CanisterWorm’s blockchain C2 infrastructure and why it matters
Rather than relying on traditional command-and-control servers that law enforcement can take down, TeamPCP leveraged Internet Computer Protocol canisters—blockchain-based smart contracts that host code, data, and web content. A canister address like tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io operates as a decentralized control server that continues functioning as long as someone pays the virtual currency fees to keep it online. This architectural choice makes CanisterWorm significantly harder to disrupt than botnets relying on traditional infrastructure.
The use of ICP canisters represents a tactical evolution in malware design. Blockchain-based C2 infrastructure had been discussed theoretically for years, but TeamPCP appears to be among the first to operationalize it at scale in a real-world worm. This innovation matters because it shifts the burden of disruption from network takedowns to attacking the economic model—which requires either freezing the attacker’s virtual currency accounts or somehow preventing the canister from receiving payment, both significantly harder than shutting down a rented server.
Why CanisterWorm targets Iran with a destructive wiper
CanisterWorm’s behavior diverges sharply when it detects an Iranian system. The malware checks for Asia/Tehran timezone and Farsi locale, then deploys entirely different payloads based on what it finds. On Kubernetes clusters in Iran, it deploys privileged DaemonSets named host-provisioner-iran across all nodes, including the control plane, then executes a Kamikaze wiper that deletes files and force-reboots the entire cluster. On non-Kubernetes Iranian hosts, it performs local file destruction. Meanwhile, non-Iranian systems receive a backdoor deployed as a systemd service for persistent access and credential theft.
This targeting strategy raises uncomfortable questions about motivation. TeamPCP is fundamentally a financially motivated cybercrime group, yet the Iran-specific wiper destroys value rather than extracting it. Krebs on Security characterized this behavior as “a financially motivated data theft and extortion group attempting to inject itself into the Iran war”—a provocative interpretation suggesting the attack may be motivated by geopolitical actors rather than pure profit. However, the actual damage to Iranian systems remains unconfirmed despite the high destructive potential.
CanisterWorm versus TeamPCP’s previous Trivy compromise
CanisterWorm represents an evolution of TeamPCP’s tactics demonstrated in their December 2025 Trivy scanner compromise, which used the same blockchain-based infrastructure but focused on credential theft and extortion over Telegram. The earlier attack was opportunistic: compromise a widely-used tool, steal credentials from organizations using it, and demand payment to prevent data sale. CanisterWorm maintains that same supply chain attack vector but adds destructive capability and geopolitical targeting. Where the Trivy compromise was about extracting value, CanisterWorm introduces the option to destroy it entirely.
Earlier CanisterWorm variants relied exclusively on Kubernetes DaemonSets for propagation, but the latest iteration drops that dependency. The updated worm spreads via SSH key theft and Docker API scanning, making it effective against organizations that lack Kubernetes entirely. This architectural flexibility suggests the malware is under active development and that TeamPCP views it as a long-term platform rather than a one-off campaign.
What organizations should do right now
The immediate risk is clear: audit npm dependencies for any packages that may have been compromised, particularly tools in the security and DevOps space. Organizations running Kubernetes should check for suspicious DaemonSets named host-provisioner-iran or host-provisioner-std, review node logs for unexpected wiper or backdoor execution, and verify that control plane nodes have not been compromised. Disable or restrict Docker API access on port 2375, rotate SSH keys from any systems potentially exposed, and implement network segmentation to limit lateral movement.
The broader lesson is uncomfortable: open-source supply chains remain a critical vulnerability, and blockchain-based infrastructure introduces new complexity to incident response. Takedown operations that worked against traditional botnets may not work against decentralized C2 systems. Organizations cannot wait for law enforcement or security vendors to solve CanisterWorm—they must assume compromise is possible and focus on detection, containment, and recovery.
Has CanisterWorm caused actual damage to Iranian systems?
No confirmed damage has been reported yet, though the destructive potential is significant. Researcher Charlie Eriksen from Aikido Security noted there is “clear potential for large-scale impact if it achieves active spread”. The wiper component was first observed March 20-22, 2026, suggesting the attack may still be in early stages of deployment.
Why does CanisterWorm use blockchain for command-and-control?
Internet Computer Protocol canisters provide a decentralized, censorship-resistant infrastructure that continues operating as long as virtual currency fees are paid. This makes traditional takedown operations ineffective compared to botnets relying on rented servers. Blockchain-based C2 is significantly harder to disrupt through network intervention alone.
How does CanisterWorm decide what to do on a target system?
The worm fingerprints each system by checking timezone and locale settings. If it detects Asia/Tehran timezone and Farsi locale, it deploys destructive wiper payloads. Non-Iranian systems receive backdoors instead. This geopolitical targeting suggests either a shift in TeamPCP’s motivations or involvement from state-aligned actors.
CanisterWorm exposes a fundamental weakness in how modern infrastructure is secured: the combination of supply chain trust, misconfigured cloud services, and inadequate network segmentation creates a perfect vector for self-propagating malware. The use of blockchain-based command-and-control is not a technical breakthrough, but it is a tactical one that shifts the burden of defense onto organizations rather than infrastructure providers. The real threat is not the sophistication of the worm itself—it is the ecosystem of vulnerable systems it can exploit and the geopolitical implications of its Iran-targeting behavior.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Hardware
