The notorious hacking group TeamPCP has expanded its cyberattack campaign from targeting open-source software to exploiting Amazon Web Services (AWS) environments, according to a report by cybersecurity firm Wiz. The group has been using stolen credentials to infiltrate these environments and exfiltrate sensitive data.
Background on TeamPCP’s Cyber Activities
Active since 2024, TeamPCP, also known as DeadCatx3, PCPcat, and ShellForce, initially focused on cloud environments. In mid-2025, they shifted their focus to supply chain attacks, aiming to steal CI/CD credentials on a large scale. Recently, the group gained attention for hacking Aqua Security’s Trivy vulnerability scanner, a move that expanded their reach to platforms like NPM, PyPI, and OpenVSX.
According to OpenSourceMalware, the incidents linked to TeamPCP are interconnected, all stemming from the Trivy breach caused by improperly rotated credentials following a February compromise. This breach allowed malware injection into Trivy packages and GitHub Actions, enabling the compromise of NPM developer publish tokens and a PyPI token belonging to LiteLLM co-founder and CEO Krrish Dholakia.
Impact of the AWS Exploitation
The compromise of LiteLLM, which boasts over 90 million monthly downloads, had widespread consequences. It exposed a Telnyx PyPI token, leading to malware-infected Telnyx PyPI packages. Security experts estimate that thousands of repositories were affected as the malware was designed to harvest credentials, API tokens, SSH tokens, and other secrets from compromised developer systems.
Wiz’s latest report reveals that TeamPCP quickly verified the stolen credentials using the open-source tool TruffleHog. They confirmed the validity of AWS access keys, Azure application secrets, and various SaaS tokens, moving swiftly to discovery operations within compromised AWS environments. This included mapping clusters and task definitions in container-focused services and targeting AWS Secrets Manager.
Techniques and Future Outlook
Once access was secured, TeamPCP employed numerous techniques to advance their scheme, executing additional code and accessing other parts of the victim environments. They used GitHub workflows to execute code and employed the ECS Exec feature to run Bash commands and Python scripts directly on AWS containers.
Wiz explains that this access facilitated the exploration of environments and exfiltration of sensitive data, including source code, configuration files, and embedded secrets from GitHub repositories. TeamPCP accessed S3 buckets, Secrets Manager, and databases to extract large volumes of data from AWS environments.
TeamPCP’s post-compromise efforts focused on further compromising secrets and exfiltrating vast amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable varied operations.
Speculation abounds regarding TeamPCP’s collaboration with other threat actors, such as the notorious extortion group Lapsus$ and the Vect Ransomware Group. Reports suggest Lapsus$ has insider knowledge of TeamPCP’s future operations, while Vect claimed a partnership on a known hacking forum.
