A worm is spreading through open source right now, and it doesn’t need you to click anything.
TeamPCP—a hacking group that emerged into the spotlight just last December—has been methodically compromising cloud infrastructure, stealing credentials, and deploying ransomware across hundreds of targets. But what makes this particular campaign different, and deeply unsettling, is how they’ve weaponized the trust that developers place in the tools they use every single day. The attack isn’t some theoretical vulnerability. It’s happening in real time, auto-propagating itself through npm packages with a sophistication that suggests the group understands supply chains better than most security teams.
The story starts with a breach of Aqua Security’s GitHub account—a company that maintains Trivy, one of the most widely deployed vulnerability scanners in containerized environments. From there, TeamPCP pushed malicious versions of Trivy across virtually every major version track. Developers who pulled what they thought was a legitimate security tool were actually downloading a backdoor.
The Worm That Spreads Itself
Here’s where it gets scary.
Once infected, the malware doesn’t sit idle waiting for the next manual deployment. It hunts through the compromised machine for npm authentication tokens—those little credential files that developers often leave lying around with publish access to package registries. Find a token, and suddenly the worm can create new versions of any package that token has access to. It poisoned 28 packages in under 60 seconds during one observed incident.
But the really chilling part? Early versions of the worm required attackers to manually spread it across each package. The updated version pushed over the weekend removed that friction entirely.
The malware scours machines for access tokens to the npm repository and compromises any publishable packages available by creating a new version laced with the malicious code.
That’s the definition of exponential attack surface. One compromised developer machine doesn’t just infect one package anymore. It potentially infects dozens. Those poisoned packages then get downloaded by thousands more developers. Each new infection is another vector for token harvesting, another opportunity for lateral spread.
Why This Escape Mechanism Is Brilliant (And Terrifying)
TeamPCP made one architectural decision that deserves serious attention: they didn’t use a traditional command-and-control server.
Instead, they deployed their control infrastructure on the Internet Computer Protocol—a decentralized blockchain platform. Specifically, they used something called a canister, which is essentially a smart contract running on distributed nodes. The canister’s job is simple but elegant: point infected machines toward URLs hosting malicious binaries. Here’s the genius part—when security researchers or law enforcement starts hunting for the control infrastructure, there’s no single server to seize. There’s no DNS record to poison. The smart contract itself is theoretically impossible for third parties to modify or take offline without consensus from the entire network.
Infected machines check in every 50 minutes. That’s frequent enough to feel responsive, but infrequent enough to avoid raising alarms on most monitoring systems.
This isn’t just clever infrastructure. This is a fundamental architectural shift in how adversaries think about persistence. They’re not building command-and-control servers anymore. They’re outsourcing resilience to decentralized networks. It’s the malware equivalent of migrating to cloud infrastructure—except the cloud is designed to be resistant to the exact takedown mechanisms security researchers have spent decades perfecting.
Is this the new normal for supply chain attacks?
Not yet. But it might be.
Supply chain attacks aren’t new. We’ve seen compromised software before—SolarWinds, Codecov, the XZ Utils backdoor. But those were mostly about injecting code into a single trusted project and waiting for adoption. TeamPCP is different because they’ve added automation and self-propagation. They’re not content to poison one tool. They’re building infrastructure that scales the attack horizontally across an entire ecosystem.
What makes this particularly relevant to open source maintainers and security teams: the attack surface here isn’t a vulnerability in any code. It’s an authentication token sitting in a developer’s ~/.npm credentials file. It’s a GitHub password reused on a personal machine. It’s the assumption that if you control the build pipeline, you’re safe. None of those assumptions hold anymore.
The fact that TeamPCP also included a data wiper targeting Iranian machines suggests state-level involvement or at least very specific geopolitical intentions. That’s a separate layer of alarming—it means this group has resources, patience, and objectives beyond typical financial cybercrime.
What happens now?
Aqua Security has been working with the security community to scope the damage. npm published advisories. Packages have been yanked. Researchers are hunting for all affected versions and tracing the propagation.
But here’s the uncomfortable truth: containment is backward-looking. By the time vulnerability reports go public, the window for infection has already closed. The real question is what happens the next time someone compromises a high-value GitHub account. What happens when this technique gets copied? What happens when another group figures out how to use blockchain-based command-and-control more effectively?
The open source community’s entire trust model is built on the assumption that compromises are rare and quickly discovered. TeamPCP just demonstrated that with enough access and enough sophistication, the discovery phase can be measured in hours, and the propagation phase can be measured in minutes.
Frequently Asked Questions
What is TeamPCP and where did they come from?
TeamPCP is a hacking group first observed in December by Flare, a security research team. They’re notable for large-scale automation, worm-enabled malware, and expertise in supply chain attacks. Their origins remain unclear, but the inclusion of Iran-targeted tools suggests possible state-level involvement or geopolitical motives.
Can I tell if my npm packages were compromised?
Check npm’s published advisories for affected packages. If you use Trivy, upgrade immediately to a patched version. For other packages: review the advisory list, check package changelogs for suspicious new versions released around the incident dates, and audit your dependencies with updated vulnerability scanners (from trusted sources).
Why is using blockchain for malware control actually a problem?
Because traditional takedown methods rely on seizing centralized servers or corrupting DNS records. Blockchain-based smart contracts are designed to be tamper-proof and decentralized—making them nearly impossible to disable without network-wide consensus. It’s architectural resilience, weaponized.
