TEAMPCP is widening its cloud and SaaS focus by using stolen credentials to breach AWS and Azure environments as well as SaaS platforms, after previously compromising open-source projects. According to Wiz Research, the group this month targeted Trivy, KICS, LiteLLM and the Telnyx PyPi package, aiming to deploy infostealer malware and harvest credentials, API keys, SSH keys and other secrets.
Wiz’s blog notes that the threat actors rapidly weaponised validated credentials, with AWS discovery operations beginning as quickly as 24 hours after the initial theft. The researchers describe extensive enumeration across victims’ AWS environments, collecting data on IAM roles, S3 buckets and ECS instances, then exfiltrating data from S3 and AWS Secrets Manager and using ECS Exec to run commands in running containers.
They caution that their findings aren’t limited to a single cloud and that compromises were observed across Azure, GitHub and other SaaS providers, underscoring the need for rapid credential rotation and vigorous monitoring. Organizations are urged to hunt for suspicious activity and ensure audit logging is enabled to limit the blast radius.