<”
body {
font-family: -apple-system, BlinkMacSystemFont, ‘Segoe UI’, Roboto, sans-serif;
line-height: 1.6;
color: #333;
max-width: 800px;
margin: 0 auto;
padding: 20px;
background: #f9f9f9;
}
img {
width: 100%;
height: auto;
margin-bottom: 20px;
border-radius: 8px;
}
h2 {
color: #d32f2f;
font-size: 28px;
margin: 20px 0 15px 0;
}
p {
margin: 15px 0;
font-size: 16px;
}
.technical {
background: #f0f0f0;
padding: 15px;
border-left: 4px solid #d32f2f;
margin: 20px 0;
font-family: ‘Courier New’, monospace;
font-size: 14px;
}
.warning {
background: #fff3cd;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
border-left: 4px solid #ff9800;
}
strong {
color: #d32f2f;
}
Supply Chain Sabotage: TeamPCP’s Wiper Attack Weaponizes Kubernetes Against Iran
A relatively new cybercrime group called TeamPCP just deployed a sophisticated wiper attack using the same infrastructure from a March 19 supply chain compromise of Trivy, Aqua Security’s vulnerability scanner[1]. The malware specifically targets systems in Iran, destroying entire Kubernetes clusters if it detects Iranian timezone and locale settings[1].
This isn’t just another ransomware story—it’s a supply chain attack that weaponizes your own development tools against you.
• March 19: TeamPCP compromised Trivy’s GitHub Actions, injecting credential-stealing malware[1]
• Payload harvested: SSH keys, cloud credentials, Kubernetes tokens, crypto wallets[1]
• Weekend deployment: Same infrastructure repurposed for geolocation-based wiper attack[1]
• Trigger: Kubernetes cluster destruction if victim timezone = Iran[1]
TeamPCP has been active since December 2025, starting with a self-propagating worm targeting exposed Docker APIs, Kubernetes clusters, and Redis servers[1]. They’ve escalated from credential theft and extortion on Telegram to full data destruction ops. The group demonstrated serious operational security by reusing proven attack infrastructure across multiple campaigns.
If you’re running Trivy for vulnerability scanning, you may have pulled malicious versions between March 19 and when Aqua Security removed them[1]. Even if you’re not in Iran, the attack proves supply chain compromises can sit dormant in your CI/CD pipeline, waiting for specific triggers. Your GitHub Actions are now a potential attack surface. Security researcher Charlie Eriksen at Aikido notes that if the wiper detects Kubernetes access, it nukes every node in your cluster[1]—that’s catastrophic for production environments.
The geolocation-targeting is the real tell here. This wasn’t opportunistic—it was surgical. TeamPCP built a payload that knows where it is and adapts accordingly. That level of sophistication suggests state-adjacent actors or serious criminal infrastructure. The fact they’re reusing attack infrastructure across campaigns shows efficiency and confidence they won’t get shut down immediately.
The Bottom Line: Audit your Trivy deployments now. Check your GitHub Actions logs for suspicious activity. If you’re managing Kubernetes, assume your supply chain tooling has been compromised at some point—because it probably has. The era of “trust your build tools” is officially dead. Zero-trust your entire pipeline, or get wiped like a compromised Iranian node.
