Originally reported by Wiz Blog
TL;DR
TeamPCP threat actors are actively leveraging credentials and secrets stolen from recent supply chain attacks to gain unauthorized access to cloud environments. The campaign demonstrates sophisticated post-compromise techniques targeting cloud infrastructure at scale.
Active threat actor campaign leveraging stolen credentials from supply chain attacks to compromise cloud environments represents significant ongoing threat to enterprise infrastructure.
Wiz Research has identified an active threat actor group designated TeamPCP conducting targeted attacks against cloud infrastructure using credentials harvested from recent supply chain compromises. The campaign demonstrates how threat actors are weaponizing stolen secrets to achieve persistent access across multiple cloud environments.
TeamPCP's operations follow a structured approach leveraging compromised supply chain artifacts:
Wiz researchers documented several technical markers associated with TeamPCP activities:
The threat actor's access to high-value credentials suggests coordination with or benefit from recent supply chain compromises affecting software development toolchains. TeamPCP appears to specifically target secrets and tokens embedded in compromised software packages and development repositories.
Organizations can implement several defensive measures:
The campaign highlights the cascading effects of supply chain compromises, where initial code repository breaches enable secondary attacks against downstream cloud infrastructure. Organizations using affected software packages face elevated risk of unauthorized cloud access even after patching the original vulnerability.
Originally reported by Wiz Blog
