TeamPCP Deploys Iran-Targeted Wiper via Trivy Supply Chain Compromise

A cloud-focused cybercrime group called TeamPCP escalated from financial extortion to geopolitically targeted destruction, deploying a wiper payload that destroys data on machines with Iranian locale settings or Farsi as the default language. The group operates a self-propagating worm that spreads through exposed Docker APIs, Kubernetes clusters, and Redis servers, with Azure and AWS accounting for 97% of its confirmed compromises. Its infrastructure runs on Internet Computer Protocol canisters — blockchain-based smart contracts that resist takedown as long as fees are paid.

The wiper was deployed via the same access TeamPCP gained from a March 19 supply chain attack on Aqua Security’s Trivy vulnerability scanner, where malicious code was injected into official GitHub Actions releases and exfiltrated SSH keys, cloud credentials, Kubernetes tokens, and crypto wallet data. A subsequent update to Wiz’s reporting confirmed the group also compromised the KICS scanner from Checkmarx the same day. This marks the second major Trivy supply chain incident within a month — the first being the unrelated HackerBot-Claw campaign in late February.

The wiper’s effectiveness against Iranian targets remains unconfirmed; the malicious payload was only live briefly and the group cycled it up and down while adding new features in real time. Researchers note the Iran targeting may be performative — the group has been openly bragging on Telegram and spamming GitHub with junk commits to keep tainted packages prominent in search results. The incident reinforces a broader pattern: supply chain attacks are accelerating as threat actors recognize how efficiently a single compromised tool can propagate malware across enterprise infrastructure at scale.