While most of the team's activities so far seemed to be related to obtaining money, the latest version of the software dubbed CanisterWorm will completely erase the contents of any Iranian machine it finds itself in, by detecting the system's time zone. Any Kubernetes hosts will delete every machine in the cluster, while standard VMs of whichever type get a good ol' "rm -rf / –no-preserve-root" — no questions asked. If the machine is not Iranian, the infection and spread continue as usual.
You may like Iran hacking group claims attack on med-tech company Stryker Invisible malicious code attacks 151 GitHub repos and VS Code Bug in Nitrogen ransomware locks victims' data away forever There's seemingly no immediate motivation for the data wipe, especially given a dead host isn't much use to a parasite. In a statement to KrebsOnSecurity, Aikido researcher Charlie Eriksen said that the group was apparently just showing off, and hypothesized that it may hold credentials to a much larger number of systems than those that participated in the attack.
The latest attack started over the past weekend , kickstarted by a hack on the Trivy open-source vulnerability scanner software that many developers use as part of their software publishing infrastructure. Node.js (npm) packages that used Trivy got their publishing credentials harvested, and from there the malware spread to other npm packages and set up a multitude of background processes masquerading as standard system services.
What makes this particular attack novel on the technical side is that the command-and-control infrastructure — the "control panel" of the malware network operators — was a dead drop published on an ICP (Internet Compute Project) canister, hence the CanisterWorm name. A canister is a type of smart contract, a small blockchain-hosted set of code and data that is particularly resilient to being brought down, due to its distributed nature.
Contrary to cryptocurrency blockchains like Bitcoin or Ethereum, participants of the ICP must undergo a strict identification and vetting process and provide substantial hardware to run it. Estimates pin the number of participating machines at around 1400 (half active, half on standby) across over 100 node providers and 34 countries.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/canisterworm-malware-wipes-iranian-machines-for-no-apparent-reason-sophisticated-attack-spreads-through-npm-packages-and-uses-icp-canister-as-control-surface#main
- https://www.tomshardware.com
- Unlock the ultimate PC maintenance combo with this electric screwdriver and air duster at a huge $70 saving right now — $89 Amazon bundle pairs Hoto's epic 25-b
- Smooth Moves: 90 Frames-Per-Second Virtual Reality Arrives on GeForce NOW
- New NVIDIA Nemotron 3 Super Delivers 5x Higher Throughput for Agentic AI
- Google's TurboQuant reduces AI LLM cache memory capacity requirements by at least six times — up to 8x performance boost on Nvidia H100 GPUs, compresses KV cach
- LG produces the world's first mass-production LCD laptop display capable of 1 Hz to save power — OLED version arriving in 2027
Informational only. No financial advice. Do your own research.