TeamPCP Moves From OSS to AWS Environments

After validating stolen credentials using TruffleHog, the hacking group started AWS services enumeration and lateral movement activities.

The threat actor behind the widespread March campaign targeting the open source software community has been using compromised credentials to access AWS environments and exfiltrate more data, cybersecurity firm Wiz reports.

The hacking group, known as TeamPCP, DeadCatx3, PCPcat, and ShellForce, has been active since 2024. Initially focused on cloud environments, the group shifted to supply chain attacks in mid-2025, targeting the theft of CI/CD credentials at scale.

TeamPCP made headlines over the past two weeks, after hacking Aqua Security’s Trivy vulnerability scanner as part of a campaign that has since expanded to NPM, PyPI, and OpenVSX.

According to OpenSourceMalware, the various incidents attributed to the group over the past weeks are chained together, as they were all triggered by the Trivy hack, which was the result of improperly rotated credentials ...