New CanisterWorm Targets Kubernetes Clusters, Deploys “Kamikaze” Wiper

CanisterWorm spreads via npm supply chain attack, hijacks developer accounts, targets Kubernetes clusters, and deploys destructive Kamikaze wiper payload.

A fast-moving malware campaign dubbed CanisterWorm is spreading rapidly through developer ecosystems, moving between machines in seconds. First observed on 20 March 2026 at 20:45 UTC, the campaign escalated within 48 hours from credential theft to destructive attacks against Kubernetes environments.

The group behind the activity, TeamPCP, seeded malicious code into more than 45 npm packages. Investigators link the campaign to the earlier compromise of Aqua Security’s Trivy scanner, with stolen credentials used to take over maintainer accounts and publish infected updates.

Researchers at Aikido Security, who shared details with Hackread.com, report that infected systems are scanned for authentication tokens. These tokens allow attackers to reuse compromised accounts to distribute additional malicious packages. In one instance, 28 packages were hijacked in under a minute.

The campaign also introduces ...