Executive Summary
In March 2026, the cybercrime group TeamPCP launched a supply chain attack by compromising Aqua Security's Trivy vulnerability scanner, injecting credential-stealing malware into official releases on GitHub. This malicious code targeted authentication credentials, cloud tokens, and cryptocurrency wallets. Subsequently, TeamPCP deployed 'CanisterWorm,' a self-propagating worm that exploited exposed Docker APIs, Kubernetes clusters, and Redis servers. The worm included a wiper component designed to destroy data on systems set to Iran's time zone or with Farsi as the default language, significantly impacting Iranian organizations.
This incident underscores the escalating threat of supply chain attacks and the increasing use of wiper malware by financially motivated groups. Organizations must enhance their security measures, particularly in securing development pipelines and cloud infrastructures, to mitigate such sophisticated threats.
Why This Matters Now
The CanisterWorm attack highlights the urgent need for organizations to secure their software supply chains and cloud environments against sophisticated threats that exploit trusted tools and services.
Attack Path Analysis
TeamPCP initiated the attack by exploiting exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability to gain unauthorized access to cloud environments. They escalated privileges by leveraging misconfigurations and stolen credentials to gain higher-level access within the compromised cloud infrastructure. Utilizing the compromised cloud control planes, they moved laterally to infect additional systems and services within the cloud environment. The attackers established command and control by deploying a self-propagating worm that communicated with their infrastructure to receive further instructions. They exfiltrated sensitive data, including authentication credentials and cryptocurrency wallets, from the compromised systems. Finally, they deployed a wiper component that destroyed data on systems identified as being located in Iran, causing significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
TeamPCP exploited exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability to gain unauthorized access to cloud environments.
MITRE ATT&CK® Techniques
Supply Chain Compromise
Remote Services: Cloud Services
Data from Cloud Storage
Cloud Service Discovery
Cloud Service Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Supply Chain Security
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting GitHub Actions, vulnerability scanners, and cloud infrastructure create critical risks for software development pipelines and CI/CD security.
Information Technology/IT
Automated worms exploiting Docker APIs, Kubernetes clusters, and cloud misconfigurations threaten IT infrastructure operations requiring enhanced east-west traffic monitoring.
Pharmaceuticals
TeamPCP's claimed compromise of multinational pharmaceutical firms highlights sector vulnerability to credential theft and data exfiltration via cloud service exploitation.
Computer/Network Security
Direct targeting of security tools like Trivy and KICS scanners undermines cybersecurity firms' supply chain integrity and customer trust.
Sources
- ‘CanisterWorm’ Springs Wiper Attack Targeting Iranhttps://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/Verified
- Aqua Securityhttps://es.wikipedia.org/wiki/Aqua_SecurityVerified
- Weekly Cybersecurity Briefing (9 March – 15 March 2026)https://www.cybersecbrief.com/insight/weekly-roundup/weekly-roundup-2026-03-16-12-00-00?download_pdf=1Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix CNSF would likely have limited unauthorized access by enforcing strict segmentation and identity-aware access controls, reducing the attacker's ability to exploit exposed services.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have constrained privilege escalation by enforcing least-privilege access controls, limiting the attacker's ability to gain higher-level access.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have limited lateral movement by monitoring and controlling internal traffic, reducing the attacker's ability to spread within the environment.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely have constrained command and control activities by providing comprehensive monitoring and control over cross-cloud communications, reducing the attacker's ability to maintain control.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely have limited data exfiltration by controlling outbound traffic, reducing the attacker's ability to transmit sensitive data externally.
While Aviatrix CNSF could have constrained earlier stages of the attack, the deployment of a wiper component indicates a residual risk where data destruction occurred, leading to operational disruption.
Impact at a Glance
Affected Business Functions
- Cloud Service Operations
- Data Storage and Management
- Software Development
- Supply Chain Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive data from compromised cloud environments, including authentication credentials, cloud service configurations, and possibly customer data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement within cloud environments.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating the spread of self-propagating worms.
- • Utilize Multicloud Visibility & Control solutions to gain comprehensive insights into cloud infrastructure and detect anomalous activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration to unauthorized destinations.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to malicious activities in real-time.
