Back to Discover

Self-propagating malware poisons open source software and wipes Iran-based machines

March 25, 2026
Ars technica
Self-propagating malware poisons open source software and wipes Iran-based machines

Here's something that’ll make you think twice about open-source security — there’s a new, highly sneaky hacker group called TeamPCP. According to Dan Goodin at Ars Technica, they’ve been on a rampage since December, spreading a self-replicating backdoor that’s unlike anything we’ve seen before. But here’s where it gets chilling — they’re also deploying a data wiper that specifically targets Iran-based machines. This isn’t just random hacking; it’s a calculated, evolving campaign. Recently, they compromised the popular Trivy vulnerability scanner by hijacking Aqua Security’s GitHub account, as Dan reports. That supply-chain attack means they can slip malicious code into widely used tools, making the threat even bigger. What’s fascinating — and frightening — is how skilled they are at automation and using well-known attack methods to stay ahead of defenders. So, what does this mean for your security? The landscape is shifting fast, and this group’s relentless evolution shows we need to stay sharper than ever. Keep an eye on this one, because it’s far from over.

A new hacking group has been rampaging the Internet in a persistent campaign that spreads a self-propagating and never-before-seen backdoor—and curiously a data wiper that targets Iranian machines.

The group, tracked under the name TeamPCP, first gained visibility in December, when researchers from security firm Flare observed it unleashing a worm that targeted cloud-hosted platforms that weren’t properly secured. The objective was to build a distributed proxy and scanning infrastructure and then use it to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency. The group is notable for its skill in large-scale automation and integration of well-known attack techniques.

Relentless and constantly evolving

More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator.

Read full article

Comments

Audio Transcript

A new hacking group has been rampaging the Internet in a persistent campaign that spreads a self-propagating and never-before-seen backdoor—and curiously a data wiper that targets Iranian machines.

The group, tracked under the name TeamPCP, first gained visibility in December, when researchers from security firm Flare observed it unleashing a worm that targeted cloud-hosted platforms that weren’t properly secured. The objective was to build a distributed proxy and scanning infrastructure and then use it to compromise servers for exfiltrating data, deploying ransomware, conducting extortion, and mining cryptocurrency. The group is notable for its skill in large-scale automation and integration of well-known attack techniques.

Relentless and constantly evolving

More recently, TeamPCP has waged a relentless campaign that uses continuously evolving malware to bring ever more systems under its control. Late last week, it compromised virtually all versions of the widely used Trivy vulnerability scanner in a supply-chain attack after gaining privileged access to the GitHub account of Aqua Security, the Trivy creator.

Read full article

Comments

View original article
0:00/0:00
Self-propagating malware poisons open source software and wipes Iran-based machines | Speasy