TeamPCP expands supply chain intrusions into cloud and enterprise environments

Threat summary

According to new reporting on March 31, the threat actors behind TeamPCP’s supply chain campaign are now using credentials stolen during earlier compromises to access Amazon Web Services (AWS) accounts, execute commands inside containers, and extract cloud‑hosted data.

On the same day, BleepingComputer reported that adversaries used credentials stolen in the compromise of open-source vulnerability scanner, Trivy, to access Cisco’s internal development environment. A source told BleepingComputer that Cisco’s teams contained a breach involving a malicious GitHub Action plugin linked to the Trivy compromise. The attackers used this malicious GitHub Action to steal credentials and data from Cisco’s build and development environment, impacting dozens of devices, including developer and lab workstations.

These developments build on earlier phases of the campaign documented in our previous blogs. Initial compromises of developer tools enabled credential theft at scale.

The attackers validated cloud keys taken from the Trivy, LiteLLM, and Checkmarx KICS compromises and used them to access cloud services, enumerate infrastructure, run commands inside containers, and exfiltrate sensitive data. They rely on valid keys and trusted automation paths, allowing them to bypass authentication controls and blend into normal developer and pipeline activity.

Analysis

The campaign affects build systems, cloud tenants, and customer-facing infrastructure, creating a broad attack surface that is difficult to detect using traditional security controls.

Organizations are affected if they installed compromised versions of Trivy, LiteLLM, Telnyx, or KICS in continuous integration and continuous delivery environments, or if their cloud keys were exposed during these compromises.

Enterprises with development environments connected to GitHub Actions workflows or automated pipelines that used Trivy-linked tooling are also impacted. Managed service providers supporting clients with shared build infrastructure, unpinned dependencies, or cloud environments where stolen credentials remain active face elevated exposure.

The threat actors rely on valid credentials because these allow them to bypass authentication controls, blend into normal activity, and move quickly across cloud and enterprise environments.

This trend is significant because it demonstrates a direct progression from open-source supply chain compromise to cloud and enterprise intrusion, showing how a single upstream compromise can cascade across developer systems, cloud tenants, and customer environments.

Organizations can reduce risk by:

• Rotating all secrets exposed in any environment where compromised packages were installed, including cloud access keys, Secure Shell keys, and GitHub tokens.
• Reimaging affected developer and build systems and reinstalling tooling from verified sources.
• Enforcing version pinning in continuous integration pipelines to prevent unauthorized dependency updates.
• Using scoped publishing tokens and multi-factor authentication for package releases to limit the impact of credential theft.
• Reviewing cloud logs for unexpected Amazon Elastic Container Service Exec activity, Amazon Simple Storage Service access, and Secrets Manager retrievals.
• Isolating build environments and restricting outbound network access during dependency installation to reduce exposure to malicious upstream packages.
• Auditing development environments for unauthorized GitHub Action plugins, cloned repositories, and anomalous automation activity.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up