From Supply Chain Poisoning to Cloud Exploitation
TeamPCP, a threat group that has been systematically targeting open source software projects, has now pivoted to leveraging its cache of stolen credentials against cloud and software-as-a-service (SaaS) environments. The escalation marks a significant step up in the group's operational ambitions, moving beyond credential harvesting toward direct intrusion into enterprise cloud infrastructure.
Throughout this month, TeamPCP compromised several prominent open source projects. The group's campaign began with Trivy, a security scanner maintained by Aqua Security, and KICS, a static code analysis tool developed by Checkmarx. More recently, the actors targeted LiteLLM, an open source Python library, and the PyPI package of Telnyx, a tool used by developers to build voice AI agents.
Across all four attack campaigns, the underlying objective was consistent: inject infostealer malware into poisoned open source software packages, then deploy that malware within organizations to harvest user credentials, API keys, SSH keys, and other sensitive secrets.
Wiz Research Tracks Active Incidents
In a blog post published on March 31, 2026, Wiz Research detailed how its customer incident response team (CIRT) investigated and responded to what it described as "multiple attacks" stemming from TeamPCP's supply chain compromises. The Wiz CIRT first detected malicious use of stolen credentials on March 19, observing threat actors deploying the Trufflehog open source tool to validate the stolen credentials before use.
Trufflehog validation activity was observed specifically for AWS access keys, Azure application secrets, and various SaaS tokens — pointing to a deliberate, multi-platform targeting strategy.
Speed Is TeamPCP's Defining Characteristic
One of the most alarming findings from Wiz's investigation was the sheer pace at which TeamPCP operationalized the stolen material. According to the researchers, threat actors began performing AWS discovery operations "as quickly as 24 hours after the initial theft."
Once inside AWS environments, the group carried out extensive enumeration, gathering intelligence on:
- Identity and access management (IAM) roles
- S3 buckets
- Amazon Elastic Container Service (ECS) instances
Beyond reconnaissance, the attackers exfiltrated data from S3 buckets and AWS Secrets Manager, and abused the ECS Exec feature to run Bash commands and Python scripts directly on running containers. Wiz researchers noted this capability allowed the threat actors to move deeper into compromised environments and siphon additional sensitive data.
Azure, GitHub, and SaaS Providers Also in the Crosshairs
TeamPCP's reach extended well beyond AWS. Wiz Research confirmed to Dark Reading that the group's activity spanned multiple platforms: "We've observed compromises across Azure, GitHub, and other SaaS providers, reflecting how attackers reuse validated credentials across environments."
On GitHub specifically, the Wiz CIRT tracked TeamPCP actors abusing the platform's workflow features to execute code inside targeted repositories. The group also weaponized GitHub Personal Access Tokens to clone repositories at scale — a tactic that amplifies their reach and could facilitate further downstream attacks.
Despite the breadth of the campaign, Wiz Research declined to provide specific figures on the total number of impacted cloud environments, stating only that the activity was not limited to any single cloud provider.
What Organizations Should Do Now
The speed and aggression of TeamPCP's cloud operations underscore a critical lesson for defenders: when credentials are compromised, every minute counts. Wiz Research was direct on this point — "organizations that acted fast to revoke or rotate access were able to limit the blast radius."
Any organization that may have been affected by the supply chain compromises targeting Trivy, KICS, LiteLLM, or Telnyx is urged to take immediate action, including:
- Rotating all secrets and credentials without delay
- Hunting for suspicious and anomalous activity within cloud environments
- Reviewing logs for unusual VPN usage patterns
- Monitoring for a high volume of git.clone events within short time windows
- Checking for suspicious enumeration activity in cloud accounts
- Ensuring that audit logging is fully enabled across the network
Wiz Research published indicators of compromise (IOCs) related to the recent TeamPCP attacks and encouraged security teams to actively monitor for those signs. Defenders should note that in some cases, TeamPCP actors may have gained access to cloud environments before the victim even became aware their credentials had been stolen — making proactive threat hunting especially important.
A Threat Group Prioritizing Aggression Over Stealth
The broader pattern of TeamPCP's behavior suggests a group that values speed and scale over subtlety. Unlike threat actors who linger undetected in networks for months, TeamPCP appears to move quickly to maximize damage before credentials are rotated or revoked. This aggressive posture places a premium not just on perimeter security, but on the speed and effectiveness of an organization's incident response capabilities.
As TeamPCP continues to demonstrate, a successful supply chain intrusion is only the beginning. The real damage comes when stolen secrets are weaponized against cloud infrastructure — and in this group's case, that weaponization can begin within a single day.
Source: Dark Reading