What's Happening?
The hacking group known as TeamPCP has been identified as the actor behind a series of cyberattacks targeting open source software communities and AWS environments. According to cybersecurity firm Wiz, TeamPCP has been using compromised credentials to access
AWS environments and exfiltrate data. The group, active since 2024, initially focused on cloud environments but shifted to supply chain attacks in mid-2025. Recently, they hacked Aqua Security’s Trivy vulnerability scanner, expanding their campaign to include NPM, PyPI, and OpenVSX. The attacks have compromised CI/CD credentials, leading to the theft of publish tokens from developers, including a PyPI token from LiteLLM, which has over 90 million monthly downloads. The malware injected into Trivy packages allowed TeamPCP to harvest credentials and secrets from infected systems.
Why It's Important?
The activities of TeamPCP highlight significant vulnerabilities in the software supply chain and cloud environments. By compromising developer credentials and accessing AWS environments, the group poses a substantial threat to data security and integrity. The exfiltration of sensitive data and secrets could lead to further cyberattacks, data breaches, and potential financial losses for affected companies. The involvement of other threat actors, such as Lapsus$ and the Vect Ransomware Group, suggests a broader network of cybercriminals that could exploit the stolen data for various malicious purposes. This situation underscores the need for robust cybersecurity measures and best practices, such as using temporary credentials and enhancing identity management.
What's Next?
Organizations affected by TeamPCP's activities are likely to conduct thorough investigations to assess the extent of the compromise and mitigate potential damages. Companies may need to enhance their security protocols, rotate credentials, and implement stricter access controls to prevent future breaches. AWS has advised customers to follow security best practices and contact support for any security concerns. The cybersecurity community will likely continue monitoring TeamPCP's activities and collaborate to develop strategies to counteract such threats. Additionally, there may be increased scrutiny on supply chain security and the implementation of more stringent regulations to protect against similar attacks.
