"The hacking group, known as TeamPCP, DeadCatx3, PCPcat, and ShellForce, has been active since 2024. Initially focused on cloud environments, the group shifted to supply chain attacks in mid-2025, targeting the theft of CI/CD credentials at scale."
"TeamPCP made headlines over the past two weeks, after hacking Aqua Security's Trivy vulnerability scanner as part of a campaign that has since expanded to NPM, PyPI, and OpenVSX."
"Security researchers estimate that tens of thousands of repositories were likely impacted by the campaign, as TeamPCP's malware was designed to harvest credentials, API tokens, SSH tokens, and other secrets from the infected developer systems."
"According to a fresh Wiz report, the hacking group did not waste time validating the exfiltrated credentials. They used the open source tool TruffleHog to confirm that stolen AWS access keys, Azure application secrets, and various SaaS tokens were still valid and in use."
TeamPCP, also known as DeadCatx3 and ShellForce, has been active since 2024, initially targeting cloud environments before shifting to supply chain attacks in 2025. The group recently hacked Aqua Security's Trivy vulnerability scanner, which led to a broader campaign affecting NPM, PyPI, and OpenVSX. The malware injected into Trivy packages allowed the group to compromise tokens of developers, including a significant breach involving LiteLLM. Security researchers estimate tens of thousands of repositories were impacted, with the group quickly validating and utilizing stolen credentials.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]