TeamPCP Moves From OSS to AWS Environments

The threat actor behind the widespread March campaign targeting the open source software community has been using compromised credentials to access AWS environments and exfiltrate more data, cybersecurity firm Wiz reports. The hacking group, known as TeamPCP, DeadCatx3, PCPcat, and ShellForce, has been active since 2024. Initially focused on cloud environments, the group shifted to supply chain attacks in mid-2025, targeting the theft of CI/CD credentials at scale. TeamPCP made headlines over the past two weeks, after hacking Aqua Security’s Trivy vulnerability scanner as part of a campaign that has since expanded to NPM, PyPI, and OpenVSX. According to OpenSourceMalware, the various incidents attributed to the group over the past weeks are chained together, as they were all triggered by the Trivy hack, which was the result of improperly rotated credentials following a February compromise. The malware injected in Trivy packages and GitHub Actions was executed when Trivy ran in downstream pipelines, allowing TeamPCP to compromise publish tokens of NPM developers, as well as a PyPI token belonging to LiteLLM co-founder and CEO Krrish Dholakia. LiteLLM has over 90 million monthly downloads, and its compromise had a massive blast radius. Among others, it exposed a Telnyx PyPI token that led to Telnyx’s PyPI packages being injected with malware. Security researchers estimate that tens of thousands of repositories were likely impacted by the campaign, as TeamPCP’s malware was designed to harvest credentials, API tokens, SSH tokens, and other secrets from the infected developer systems. According to a fresh Wiz report, the hacking group did not waste time validating the exfiltrated credentials. They used the open source tool TruffleHog to confirm that stolen AWS access keys, Azure application secrets, and various SaaS tokens were still valid and in use. Within 24 hours of validating the stolen secrets, the group moved to discovery operations in the compromised AWS environments, enumerating various services, with a focus on containers, where it mapped clusters and task definitions. It also targeted the victim’s AWS Secrets Manager. “Once access had been validated and the layout identified, the actors used a variety of techniques to further their scheme by executing additional code and gaining access to other parts of the victim environments,” Wiz notes. The hackers relied on GitHub workflows to execute code within victim environments, and used the ECS Exec feature to execute Bash commands and Python scripts directly on containers running in AWS environments. “This access enabled the attackers to explore the environment and exfiltrate sensitive data,” Wiz explains. While it stole source code, configuration files, and embedded secrets from GitHub repositories, TeamPCP accessed S3 buckets, Secrets Manager, and databases for bulk data exfiltration from AWS environments, the cybersecurity firm says. “TeamPCP’s post-compromise activities focused on compromising additional secrets and exfiltrating massive amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable a range of operations,” Wiz notes. In terms of other threat actors that TeamPCP might be working with to monetize its access to compromised environments, the main suspects are the infamous extortion group Lapsus$ and the Vect Ransomware Group. Lapsus$ was seen boasting about future TeamPCP operations, as if it had insider knowledge, and Vect claimed on a known hacking forum that it had a partnership with TeamPCP, Socket reports. Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare Related: Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Lloyds Data Security Incident Impacts 450,000 Individuals Huskeys Emerges From Stealth With $8 Million in Funding Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Telnyx Targeted in Growing TeamPCP Supply Chain Attack Exploitation of Fresh Citrix NetScaler Vulnerability Begins F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs OpenAI Launches Bug Bounty Program for Abuse and Safety Risks Latest News Censys Raises $70 Million for Internet Intelligence Platform The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks Venom Stealer Raises Stakes With Continuous Credential Harvesting CrewAI Vulnerabilities Expose Devices to Hacking Google Slashes Quantum Resource Requirements for Breaking Cryptocurrency Encryption Exploitation of Critical Fortinet FortiClient EMS Flaw Begins StrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNs Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Moderna has promoted Farzan Karimi to Deputy Chief Information Security Officer. Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne. Token has appointed Katy Nelson as Chief Revenue Officer. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email