Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TeamPCP Iran-targeted Kubernetes destructive campaign

Campaign
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

The TeamPCP campaign is now using a malicious script against Kubernetes clusters to wipe hosts when systems appear configured for Iran, raising the risk of geopolitically targeted destruction. On non-Iranian nodes, the same operation installs a Python backdoor for persistence instead of erasing machines. The activity also reuses the CanisterWorm infrastructure and is evolving toward SSH propagation with stolen credentials and parsed authentication logs. That combination shows an active, coordinated operation with selective destructive behavior and follow-on footholds.

Related Happenings

PCPJack TeamPCP-targeting cloud credential theft campaign

Campaign
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...

Open Happening

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Open Happening

PCPJack Linux cloud credential-theft and persistence framework

Malware Activity
First: 07.05.2026 21:35 Last: 07.05.2026 21:35 Sources 1

About this happening: The **PCPJack** malware framework is stealing credentials from **exposed Linux cloud systems**, creating a broad risk of account takeover and lateral movement. It targets services...

Open Happening

PCPJack worm-like credential theft framework

Malware Activity
First: 07.05.2026 20:45 Last: 07.05.2026 20:45 Sources 1

About this happening: The **PCPJack** malware framework now conducts **credential theft** across exposed cloud infrastructure, raising the risk of account takeover and follow-on intrusion. It matters b...

Open Happening

TeamPCP supply-chain credential-exploitation campaign

Campaign
First: 31.03.2026 15:15 Last: 31.03.2026 15:15 Sources 1

About this happening: The **TeamPCP** campaign now includes a confirmed **GitHub** compromise tied to a poisoned **Nx Console VS Code extension**. GitHub said the breach of its internal repositories ca...

Latest development: 12.05.2026 01:03

TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.

Open Happening

Timeline

  2. 23.03.2026 22:09 2 articles · 2mo ago

    TeamPCP Iran-targeted Kubernetes wiper analysis

    Technical Analysis Update

    TeamPCP-linked malware targets Kubernetes clusters with a destructive payload that wipes hosts when Iran timezone and locale are detected, using a privileged DaemonSet named `Host-provisioner-iran` in `kube-system`; on non-Iranian systems it installs a Python backdoor for persistence, and newer variants switch to SSH propagation with parsed authentication logs, stolen private keys, `StrictHostKeyChecking+no`, and Docker API access on port 2375.

    Show sources
    Open in new tab