RESEARCHERS have observed a “dangerous convergence” between supply chain attackers and extortion gangs like Lapsus$, as TeamPCP is noted to be exploring ways to monetise secrets harvested during these campaigns, including cloud credentials, SSH keys, Kubernetes configuration files and other coding process secrets.
According to Wiz, security researchers now part of Google Cloud, a new report published on 30 March documents evidence that TeamPCP was exploring such monetisation and had been observed encrypting and exfiltrating these secrets to attacker-controlled domains. Wiz confirmed to Infosecurity that TeamPCP was explicitly collaborating with the notorious extortion group Lapsus$ to perpetuate the chaos.
The article also references posts on BreachForums attributed to the Vect ransomware group, which describe a partnership with TeamPCP as part of its research into the group’s activity. In addition, TeamPCP’s activity on PyPI has included uploading malicious packages and using typosquatting to trick developers, with campaigns targeting Trivy, Checkmarx's KICS, LiteLLM AI Gateway and the Telnyx Python package.