Threat operation TeamPCP, also known as PCPcat, DeadCatx3, and ShellForce, has tapped credentials siphoned from its sweeping supply chain attacks against Trivy, LiteLLM, and Telnyx to compromise AWS environments and facilitate additional data theft, SecurityWeek reports.
AWS discovery operations have been conducted by TeamPCP within 24 hours of validating pilfered AWS access keys, software-as-a-service tokens, and Azure app secrets using the TruffleHog tool, enabling service enumeration, cluster and task definition mapping, and AWS Secret Manager targeting, according to findings from Wiz researchers. TeamPCP then harnessed GitHub workflows to run code in targeted environments, as well as leveraged ECS Exec functionality for Bash command and Python script execution, to siphon not only GitHub repository source code and configuration files but also AWS S3 bucket, database, and Secrets Manager data.
"TeamPCP's post-compromise activities focused on compromising additional secrets and exfiltrating massive amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable a range of operations," said Wiz, which suspects TeamPCP to have entered partnerships with the Lapsus$ hacking operation and the Vect ransomware group.
AWS discovery operations have been conducted by TeamPCP within 24 hours of validating pilfered AWS access keys, software-as-a-service tokens, and Azure app secrets using the TruffleHog tool, enabling service enumeration, cluster and task definition mapping, and AWS Secret Manager targeting, according to findings from Wiz researchers. TeamPCP then harnessed GitHub workflows to run code in targeted environments, as well as leveraged ECS Exec functionality for Bash command and Python script execution, to siphon not only GitHub repository source code and configuration files but also AWS S3 bucket, database, and Secrets Manager data.
"TeamPCP's post-compromise activities focused on compromising additional secrets and exfiltrating massive amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable a range of operations," said Wiz, which suspects TeamPCP to have entered partnerships with the Lapsus$ hacking operation and the Vect ransomware group.





