ACCORDING to Wiz, the threat actor behind the widespread March campaign targeting the open source software community has been using compromised credentials to access AWS environments and exfiltrate more data. The hacking group, known as TeamPCP, DeadCatx3, PCPcat, and ShellForce, has been active since 2024 and began by validating stolen credentials before moving into discovery in the compromised AWS environments, focusing on containers, mapping clusters and task definitions, and targeting Secrets Manager.
After validating the stolen secrets, the group used GitHub workflows to run code within victim environments and employed the ECS Exec feature to execute commands on containers running in AWS. Security researchers note that TeamPCP accessed S3 buckets, Secrets Manager and databases for bulk data exfiltration, with the exfiltrated data potentially shared with other groups to enable additional operations.
The article also notes that TeamPCP shifted from cloud environments to supply chain attacks in mid-2025 and has been linked to campaigns against Trivy, NPM, PyPI and OpenVSX. The piece, published on 31 March 2026, describes the group’s activities as part of ongoing post-compromise operations.