TeamPCP Shifts Operations from OSS to AWS Environments
Basically, a hacking group is using stolen passwords to break into cloud services and steal data.
TeamPCP has shifted its focus to AWS environments, using stolen credentials to exfiltrate sensitive data. This poses significant risks to cloud security. Organizations must enhance their defenses against such threats.
The Threat
TeamPCP, a hacking group known for its aggressive tactics, has shifted its focus from open source software (OSS) to Amazon Web Services (AWS) environments. This transition follows a series of successful attacks, including a notable breach of Aqua Security’s Trivy vulnerability scanner. By exploiting compromised credentials, TeamPCP has begun to enumerate AWS services and engage in lateral movement within victim environments. Their activities have raised alarms in the cybersecurity community due to the scale and sophistication of their operations.
The group has been active since 2024, initially targeting cloud environments before moving to supply chain attacks in mid-2025. Their recent operations have resulted in the theft of critical CI/CD credentials, allowing them to infiltrate various software repositories, including NPM and PyPI. The implications of these attacks are significant, as they can lead to widespread data breaches affecting numerous organizations.
Who's Behind It
TeamPCP operates under various aliases, including DeadCatx3, PCPcat, and ShellForce. Their recent activities have been linked to a broader network of cybercriminals, including the notorious extortion group Lapsus$ and the Vect Ransomware Group. Reports suggest that these groups may collaborate to maximize their impact, sharing stolen data and resources to enhance their operations.
The group's modus operandi involves using tools like TruffleHog to validate stolen credentials quickly. Once they confirm the validity of AWS access keys and other secrets, they swiftly move to explore the compromised environments, targeting sensitive data and resources. This collaborative approach amplifies the threat posed by TeamPCP, as they leverage insights and capabilities from other criminal organizations.
Tactics & Techniques
TeamPCP's tactics are characterized by their use of advanced techniques to navigate and exploit compromised AWS environments. After validating stolen credentials, they engage in discovery operations, focusing on containers and AWS Secrets Manager. Their ability to execute code within victim environments through GitHub workflows allows them to maintain a foothold and extend their reach.
The group's malware has been designed to harvest sensitive information, including API tokens and SSH keys, from infected developer systems. This capability enables them to conduct bulk data exfiltration from AWS resources, posing a severe risk to organizations relying on cloud infrastructure for their operations. Security researchers estimate that tens of thousands of repositories may have been impacted by their recent campaigns.
Defensive Measures
Organizations must take proactive steps to defend against threats like TeamPCP. Implementing robust credential management practices is crucial. This includes regularly rotating secrets and employing multi-factor authentication to mitigate the risk of credential theft.
Additionally, monitoring for unusual activity in cloud environments can help detect potential breaches early. Security teams should also consider employing tools that can identify and remediate vulnerabilities in their software supply chains. By staying vigilant and adopting a comprehensive security posture, organizations can better protect themselves from the evolving tactics of cybercriminals like TeamPCP.