The threat actor behind the widespread March campaign targeting the open source software community has been using compromised credentials to access AWS environments and exfiltrate more data, cybersecurity firm Wiz reports.
The hacking group, known as TeamPCP, DeadCatx3, PCPcat, and ShellForce, has been active since 2024. Initially focused on cloud environments, the group shifted to supply chain attacks in mid-2025, targeting the theft of CI/CD credentials at scale.
TeamPCP made headlines over the past two weeks, after hacking Aqua Security’s Trivy vulnerability scanner as part of a campaign that has since expanded to NPM, PyPI, and OpenVSX.
According to OpenSourceMalware, the various incidents attributed to the group over the past weeks are chained together, as they were all triggered by the Trivy hack, which was the result of improperly rotated credentials following a February compromise.
The malware injected in Trivy packages and GitHub Actions was executed when Trivy ran in downstream pipelines, allowing TeamPCP to compromise publish tokens of NPM developers, as well as a PyPI token belonging to LiteLLM co-founder and CEO Krrish Dholakia.
LiteLLM has over 90 million monthly downloads, and its compromise had a massive blast radius. Among others, it exposed a Telnyx PyPI token that led to Telnyx’s PyPI packages being injected with malware.
Security researchers estimate that tens of thousands of repositories were likely impacted by the campaign, as TeamPCP’s malware was designed to harvest credentials, API tokens, SSH tokens, and other secrets from the infected developer systems.
According to a fresh Wiz report, the hacking group did not waste time validating the exfiltrated credentials. They used the open source tool TruffleHog to confirm that stolen AWS access keys, Azure application secrets, and various SaaS tokens were still valid and in use.
Within 24 hours of validating the stolen secrets, the group moved to discovery operations in the compromised AWS environments, enumerating various services, with a focus on containers, where it mapped clusters and task definitions. It also targeted the victims’ AWS Secrets Managers.
“Once access had been validated and the layout identified, the actors used a variety of techniques to further their scheme by executing additional code and gaining access to other parts of the victim environments,” Wiz notes.
The hackers relied on GitHub workflows to execute code within victim environments, and used the ECS Exec feature to execute Bash commands and Python scripts directly on containers running in AWS environments.
“This access enabled the attackers to explore the environment and exfiltrate sensitive data,” Wiz explains.
While it stole source code, configuration files, and embedded secrets from GitHub repositories, TeamPCP accessed S3 buckets, Secrets Manager, and databases for bulk data exfiltration from AWS environments, the cybersecurity firm says.
“TeamPCP’s post-compromise activities focused on compromising additional secrets and exfiltrating massive amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable a range of operations,” Wiz notes.
In terms of other threat actors that TeamPCP might be working with to monetize its access to compromised environments, the main suspects are the infamous extortion group Lapsus$ and the Vect Ransomware Group.
Lapsus$ was seen boasting about future TeamPCP operations, as if it had insider knowledge, and Vect claimed on a known hacking forum that it had a partnership with TeamPCP, Socket reports.
“As always, we recommend all customers to follow security, identity, and compliance best practices—including relying on temporary credentials, such as IAM roles, instead of creating long-term credentials, such as access keys. Customers can contact AWS Support with any questions or concerns about the security of their account,” an AWS spokesperson told SecurityWeek.
*Updated with statement from AWS.
Related: Hacked Hospitals, Hidden Spyware: Iran Conflict Shows How Digital Fight Is Ingrained in Warfare
Related: Silent Drift: How LLMs Are Quietly Breaking Organizational Access Control
Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure
Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link
