Summary
TeamPCP hackers launched the CanisterWorm supply chain attack against npm packages, using stolen credentials from the Trivy breacch decentralized ICP canisters for C2 and self-propagating code to steal cloud credentials and deploy destructive Kubernetes wipers.
Take Action:
If you use Trivy GitHub Actions or any npm packages from the affected scopes (@EmilGroup, @opengov, @teale.io, @airtm), assume your credentials are compromised — immediately rotate all secrets including npm tokens, SSH keys, cloud credentials, and Kubernetes tokens. Check your systems for suspicious services named "pgmon," "internal-monitor," or "pgmonitor," unexpected DaemonSets in kube-system, and files in /tmp/pglog or /var/lib/pgmon/, and remove anything suspicious immediately.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)