Full Report
How TeamPCP are leveraging stolen secrets from the recent supply chain attacks to compromise cloud environments
Analysis Summary
# Threat Actor: TeamPCP
## Attribution & Identity
**TeamPCP** is a threat actor group characterized by their rapid exploitation of cloud environments through high-velocity supply chain attacks. While identified by their self-proclaimed name, specific attribution to a nation-state or established criminal syndicate is not currently confirmed, though their speed may suggest a coordinated group or the sharing of credentials among multiple actors.
## Activity Summary
Between March 19 and March 27, 2026, TeamPCP executed a series of supply chain compromises targeting popular open-source security and developer tools. Their campaign involves injecting credential-stealing malware into trusted repositories and packages to harvest cloud and CI/CD secrets for immediate post-compromise exploitation.
* **Trivy (Mar 19):** Injected malware into binaries, GitHub Actions, and container images.
* **KICS (Mar 23):** Compromised Checkmarx's IaC scanner via GitHub Actions and OpenVSX extensions.
* **LiteLLM (Mar 24):** Published trojanized PyPI packages targeting LLM proxy libraries.
* **Telnyx (Mar 27):** Published malicious versions of the Telnyx Python package to PyPI.
## Tactics, Techniques & Procedures
* **Secret Validation:** Automated validation of stolen API keys using **TruffleHog** within hours of theft (e.g., calling `sts:GetCallerIdentity` for AWS).
* **Internal Discovery:** Systematic enumeration of cloud environments (IAM, EC2, Lambda, RDS, Route 53, S3).
* **GitHub Workflow Abuse:** Using stolen Personal Access Tokens (PATs) to create pull requests with malicious workflows to gain further code/secret access.
* **Container Hijacking:** Leveraging **AWS ECS Exec** (via SSM Agent) to execute interactive Bash/Python scripts on running containers.
* **Defense Evasion:** Deleting GitHub workflow logs post-execution to hinder detection.
* **Tooling:** Use of the **Nord Stream** GitHub tool for automating repository compromises.
**MITRE ATT&CK IDs:**
* **T1195.002:** Supply Chain Compromise: Compromise Software Dependencies
* **T1552.001:** Unsecured Credentials: Credentials In Files (Exfiltration of `.ssh`, `.kube/config`, and `.env` files)
* **T1528:** Steal Application Access Token
* **T1087.004:** Account Discovery: Cloud Account
* **T1612:** Build Image on Host (via GitHub Actions)
* **T1611:** Escape to Host (via ECS Exec/interactive container access)
## Targeting
* **Sectors:** Technology, Software Development, Cloud Infrastructure, and AI/LLM development.
* **Geography:** Global (targeting widely used open-source projects and PyPI).
* **Victims:** Aqua Security (Trivy), Checkmarx (KICS), LiteLLM, and Telnyx.
## Tools & Infrastructure
* **Malware:** Custom credential-harvesting malware targeting cloud/CI secrets.
* **Validation Tools:** TruffleHog.
* **GitHub Exploitation:** Nord Stream.
* **Infrastructure:** Defanged C2/exfiltration domains listed in the source (Note: Article points to a separate IOC section, but primary activity is linked to exfiltration to attacker-controlled domains).
## Implications
TeamPCP represents a significant shift in supply chain threats by shrinking the "time-to-exploit" window. By automating the validation and discovery phases, they can pivot from a software compromise to a full cloud environment breach in under 24 hours. Their focus on ECS and container runtime suggests an advanced understanding of modern cloud-native architectures.
## Mitigations
* **Secret Rotation:** Immediately rotate any AWS keys, Azure secrets, or GitHub PATs potentially exposed to compromised versions of Trivy, KICS, or LiteLLM.
* **CI/CD Security:** Restrict GitHub Action permissions using `permissions:` blocks in YAML files to "read-only" where possible.
* **Runtime Monitoring:** Monitor for unauthorized `sts:GetCallerIdentity` calls from unexpected IP addresses or user agents.
* **Container Security:** Audit and restrict the use of `ECS Exec` and SSM Agent access within production environments.
* **Supply Chain Guardrails:** Use private mirrors for PyPI or implement lockfiles/integrity checks to prevent automatic updates to malicious package versions.