TeamPCP Moves From OSS to AWS Environments

Summary

The TeamPCP hacking group, active since 2024, has expanded beyond compromising open-source software repositories (Trivy, NPM, PyPI) to weaponizing stolen AWS credentials for cloud environment reconnaissance and data exfiltration. After validating credentials with TruffleHog, the group enumerated AWS services, accessed secrets managers, and used GitHub workflows and ECS Exec to execute code and harvest sensitive data. Researchers suspect TeamPCP may be sharing compromised credentials and exfiltrated data with extortion groups Lapsus$ and Vect Ransomware Group to monetize access.

Full text

The threat actor behind the widespread March campaign targeting the open source software community has been using compromised credentials to access AWS environments and exfiltrate more data, cybersecurity firm Wiz reports. The hacking group, known as TeamPCP, DeadCatx3, PCPcat, and ShellForce, has been active since 2024. Initially focused on cloud environments, the group shifted to supply chain attacks in mid-2025, targeting the theft of CI/CD credentials at scale. TeamPCP made headlines over the past two weeks, after hacking Aqua Security’s Trivy vulnerability scanner as part of a campaign that has since expanded to NPM, PyPI, and OpenVSX. According to OpenSourceMalware, the various incidents attributed to the group over the past weeks are chained together, as they were all triggered by the Trivy hack, which was the result of improperly rotated credentials following a February compromise. The malware injected in Trivy packages and GitHub Actions was executed when Trivy ran in downstream pipelines, allowing TeamPCP to compromise publish tokens of NPM developers, as well as a PyPI token belonging to LiteLLM co-founder and CEO Krrish Dholakia. LiteLLM has over 90 million monthly downloads, and its compromise had a massive blast radius. Among others, it exposed a Telnyx PyPI token that led to Telnyx’s PyPI packages being injected with malware.Advertisement. Scroll to continue reading. Security researchers estimate that tens of thousands of repositories were likely impacted by the campaign, as TeamPCP’s malware was designed to harvest credentials, API tokens, SSH tokens, and other secrets from the infected developer systems. According to a fresh Wiz report, the hacking group did not waste time validating the exfiltrated credentials. They used the open source tool TruffleHog to confirm that stolen AWS access keys, Azure application secrets, and various SaaS tokens were still valid and in use. Within 24 hours of validating the stolen secrets, the group moved to discovery operations in the compromised AWS environments, enumerating various services, with a focus on containers, where it mapped clusters and task definitions. It also targeted the victim’s AWS Secrets Manager. “Once access had been validated and the layout identified, the actors used a variety of techniques to further their scheme by executing additional code and gaining access to other parts of the victim environments,” Wiz notes. The hackers relied on GitHub workflows to execute code within victim environments, and used the ECS Exec feature to execute Bash commands and Python scripts directly on containers running in AWS environments. “This access enabled the attackers to explore the environment and exfiltrate sensitive data,” Wiz explains. While it stole source code, configuration files, and embedded secrets from GitHub repositories, TeamPCP accessed S3 buckets, Secrets Manager, and databases for bulk data exfiltration from AWS environments, the cybersecurity firm says. “TeamPCP’s post-compromise activities focused on compromising additional secrets and exfiltrating massive amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable a range of operations,” Wiz notes. In terms of other threat actors that TeamPCP might be working with to monetize its access to compromised environments, the main suspects are the infamous extortion group Lapsus$ and the Vect Ransomware Group. Lapsus$ was seen boasting about future TeamPCP operations, as if it had insider knowledge, and Vect claimed on a known hacking forum that it had a partnership with TeamPCP, Socket reports. Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare Related: Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Huskeys Emerges From Stealth With $8 Million in FundingRussian APT Star Blizzard Adopts DarkSword iOS Exploit KitTelnyx Targeted in Growing TeamPCP Supply Chain AttackExploitation of Fresh Citrix NetScaler Vulnerability BeginsF5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the WildCloudflare-Themed ClickFix Attack Drops Infiniti Stealer on MacsOpenAI Launches Bug Bounty Program for Abuse and Safety RisksTP-Link Patches High-Severity Router Vulnerabilities Latest News CrewAI Vulnerabilities Expose Devices to HackingGoogle Slashes Quantum Resource Requirements for Breaking Cryptocurrency EncryptionExploitation of Critical Fortinet FortiClient EMS Flaw BeginsStrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNsLloyds Data Security Incident Impacts 450,000 IndividualsCritical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Healthcare IT Platform CareCloud Probing Potential Data BreachSilent Drift: How LLMs Are Quietly Breaking Organizational Access Control Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — TeamPCP
• malware — TruffleHog
• malware — Trivy
• malware — Lapsus$
• malware — Vect Ransomware Group