CanisterWorm supply chain worm adds Iran-only wiper to CI/CD attacks
Mar 24th 2026 ยท Iran
Researchers say CanisterWorm spread via compromised npm packages to CI/CD pipelines, then added a payload that wipes machines if they are detected as being in Iran.
- CanisterWorm is self-propagating malware that infects CI/CD pipelines through npm packages when an npm token is accessible.
- Infected developers and pipelines become unwitting propagation vectors that spread the backdoor to downstream projects.
- The worm was updated to include a wiper called Kamikaze that activates when a machine is in the Iranian timezone or configured for Iran.
- Kamikaze decision tree: Kubernetes in Iran deploys a DaemonSet to wipe every node, Kubernetes elsewhere deploys a DaemonSet that installs a backdoor, no Kubernetes in Iran runs rm -rf / --no-preserve-root, and no Kubernetes elsewhere does nothing.
- The compromise of Trivy was enabled by a prior Aqua Security credential breach and incomplete credential rotation, and Aqua is now performing a deeper credential purge.
- Aikido researcher Charlie Eriksen said the malicious package was taken down Sunday night and there is no evidence yet that Iranian machines were damaged, while TeamPCP's motive remains unclear and may be visibility rather than direct profit.