Following the recent supply chain attacks targeting the Trivy, KICKS, and LiteLLM projects, the Wiz Customer Incident Response Team (CIRT) and Wiz Research have proactively hunted, notified, and responded to multiple attacks being carried out by the TeamPCP threat actor group.
The TeamPCP Campaign
Wiz Research has tracked the campaign of supply chain operations against popular open source tools carried out by the group calling themselves "TeamPCP" over the past two weeks:
March 19 - Trivy: Credential-stealing malware injected into Aqua Security's vulnerability scanner through the binary, GitHub Actions and container images.
March 23 - KICS: Same malware injected into Checkmarx's IaC scanner, through the GitHub Action and OpenVSX extensions.
March 24 - LiteLLM: Malicious PyPI packages targeting the popular LLM proxy library.
March 27 - Telnyx: Malicious versions of the Telnyx Python package were published to PyPI.
All four attacks deployed malware that harvests cloud credentials, SSH keys, Kubernetes configuration files, and CI/CD secrets, encrypting and exfiltrating them to attacker-controlled domains. This blog post details how Wiz has seen these credentials used after they were stolen.
Wiz CIRT saw indications in Cloud, Code, and Runtime evidence that the credentials and secrets stolen in the supply chain compromises were quickly validated and used to explore victim environments and exfiltrate additional data. While the speed at which they were used suggests that it was the work of the same threat actors responsible for the supply chain operations, we are not able to rule out the secrets being shared with other groups and used by them.
Observed TTPs
Secret Validation
Wiz CIRT identified activity leveraging secrets stolen via the Trivy supply chain compromise as early as March 19, just hours after initial malware was deployed. As is often seen in mass credential harvesting operations, the first steps were validating the stolen secrets using the open-source tool TruffleHog. TruffleHog can automate credential validation by making live API calls directly to the respective cloud providers. For example, when verifying an AWS access key, the TruffleHog invokes the sts:GetCallerIdentity API call to confirm whether the compromised credentials remain active and usable. The team identified TruffleHog calls against different types of cloud and SaaS keys, including AWS access keys, Azure application secrets, and different SaaS tokens.
Internal Discovery
After the secrets were validated, and as quickly as 24 hours after the initial theft, the threat actor began performing AWS discovery operations. This phase focused on enumerating the victims’ environment across several AWS services:
Identity and Compute: IAM (ListUsers, ListRoles, ListAttachedUserPolicies), EC2 (DescribeInstances), and Lambda (ListFunctions).
Infrastructure and Storage: RDS (DescribeDBInstances), Route 53 (ListHostedZones), and S3 (ListBuckets, GetBucketPublicAccessBlock).
Container Environments (ECS): TeamPCP showed a distinct focus on ECS, mapping clusters and task definitions (ListClusters, ListTaskDefinitions, DescribeTaskDefinition, ListTasks, DescribeTasks) to identify targets for interactive container access.
Secrets Management: AWS Secrets Manager (ListSecrets), which was targeted to prepare a list of secrets available for bulk exfiltration.
Code Execution and Lateral Movement
Once access had been validated and the layout identified, the actors used a variety of techniques to further their scheme by executing additional code and gaining access to other parts of the victim environments.
In multiple instances TeamPCP abused GitHub workflows to execute code within targeted repositories. Using stolen Personal Access Tokens (PATs), the attackers created pull requests containing malicious workflows, which were then triggered to run in the context of the repository. These workflows likely provided access to repository contents and runtime secrets, including environment variables and tokens available during execution. After execution, the attacker deleted the associated workflow logs, likely to remove evidence of their activity and hinder detection.
In other cases, residual evidence indicated that the malicious workflows were created by the Nord Stream GitHub tool.
In AWS environments, the ECS Exec feature (leveraging the SSM Agent) was used to execute Bash commands and Python scripts directly on running containers. This access enabled the attackers to explore the environment and exfiltrate sensitive data.
Data Exfiltration
The threat actors targeted valuable information throughout the victim environments, using native techniques to efficiently steal data. . Beyond its immediate value, the exfiltrated data may also contain additional secrets that enable further access and exploitation.
In GitHub, they abused authenticated access via Personal Access Tokens (PATs) to clone repositories at scale using “git.clone”, enabling access to source code, configuration files, and embedded secrets within impacted environments.
Within AWS environments, the attackers used the stolen credentials to access and extract data from services such as S3 buckets, Secrets Manager, and databases, enabling bulk data retrieval and potential exposure of sensitive information.
Adversary Profile
TeamPCP’s post-compromise activities focused on compromising additional secrets and exfiltrating massive amounts of data from code repositories and cloud resources. The exfiltrated data and compromised secrets are potentially being shared with other groups to enable a range of operations.
TeamPCP is not trying to hide or blend in - they prioritized ease of use and speed by using open-source tools with strong signatures, conducting massive operations, and using bold resource names such as “pawn” or “massive-exfil”. Wiz CIRT observed the bulk of TeamPCP’s activity originating from Mullvad Virtual Private Network (VPN) exit nodes and virtual private server hosts such as InterServer.
What should Incident Responders and Threat Hunters do?
To detect and respond to anomalous activity, ensure audit logging is enabled and monitored across your cloud service providers and version control systems. This includes off-by-default logs such as cloud storage logs and IP logging in GitHub audit logs.
To identify the post supply chain attack compromise, hunt for the following:
Any logs source with the known IOCs detailed below, including IP addresses and User agents.
Unexpected usage of VPN providers
Keys or tokens usage from new/anomalous Autonomous System Organizations (ASOs)
Unusual Enumeration Activity, Ex: “ListUsers”, “ListRoles” “DescribeInstances”
Unusual Secret Access and Validation, Ex: ”ListSecrets”, “GetCallerIdentity”
Many “GetSecretValue”, or “GetObject” events in a short period of time by a token or a key
Anomalous execution of “ExecuteCommand” by a token or a key
Anomalous execution on workloads from SSM processes
Many “git.clone” events in a short period of time by a token or a key
Deletion of a Workflow log by a token or a key
Wiz customers can find a copy of this update in the threat center here.
If you are a Wiz Defend customer, you can search for the below Detections:
| ID | Name | Notes |
|---|---|---|
| cer-github-data-massPrivateRepoCloneOperationsByUser | Mass Clone Operations Of Private Repositories Performed By User | Post compromise |
| cer-github-data-massCloneOperationsByUser | Mass Clone Operations Performed By User | Post compromise |
| cer-github-control-workflowLogDeleted | Workflow Log Deleted | Post compromise |
| cer-azure-control-apiCallsUsingOffensiveTool | Azure API Calls Using a Known Offensive Tool | Post compromise |
| cer-correlation-id-201 | AWS Management API Calls by a Known Offensive Tool | Post compromise |
| cer-all-global-apiCallsUsingVPN | API calls made using a VPN | Post compromise |
| cer-all-global-apiCallUsingThirdPartyVPN | API Call Using Third-Party VPN | Post compromise |
| cer-github-control-unusualUserAccessThroughThirdPartyVPN | Unusual user access to Github through third-party VPN | Post compromise |
| cer-aws-control-unusualGetSecretValueByIAMUser | Unusual Secret Value Retrieval By Long Lasting IAM User | Post compromise |
| cer-aws-identity-unusualGetCallerIdentity | Unusual GetCallerIdentity Operation | Post compromise |
| cer-aws-identity-staleIAMAccessKeyUsed | IAM Access Key Used After Long Period of Inactivity | Post compromise |
| cer-correlation-id-105 | Anomalous executable not present in container image was executed | Post compromise, search for SSMSession context tag |
| cer-sen-ioc-13 | Connection to a known malicious IP detected | Trivy Supply Chain Attack |
| cer-sen-id-1006 | Process created remote network connection via bash built-ins | Trivy Supply Chain Attack |
| cer-sen-id-1417 | DNS query to typosquatted security tool domain | Trivy Supply Chain Attack |
| cer-sen-id-1304 | Python script executed base64 encoded code | LiteLLM Supply Chain Attack |
For hardening and remediation recommendations, please see Wiz blog posts on Trivy, KICS, and LiteLLM supply chain attacks.
If you suspect you are under attack, reach out to Wiz CIRT.
Indicators of Compromise (IoCs)
Network Indicators
| Indicator | ASO | First Observed | Last Observed | Notes |
|---|---|---|---|---|
| 105.245.181.120 | Vodacom (Callback proxy) | March 19 18:47 UTC | March 20 00:22 | Secret validation with TruffleHog |
| 138.199.15.172 | Datacamp Limited (Mullvad VPN) | March 19 20:32 UTC | March 25 10:58 UTC | GitHub exfiltrationMalicious workflow pushAWS reconnaissance, execution, and exfiltration |
| 154.47.29.12 | Datacamp Limited (Mullvad VPN) | March 21 02:15 UTC | March 23 20:05 UTC | Secret validationAWS reconnaissance |
| 163.245.223.12 | Interserver, Inc | March 20 21:13 UTC | March 20 23:24 UTC | GitHub exfiltration |
| 170.62.100.245 | Datacamp Limited (Mullvad VPN) | March 20 23:53 UTC | March 23 20:19 UTC | AWS reconnaissance |
| 185.77.218.4 | Oy Crea Nova Hosting Solution Ltd | March 26 06:13 UTC | March 26 08:28 UTC | Secret validation with TruffleHog |
| 193.32.126.157 | 31173 Services AB (Mullvad VPN) | March 20 00:57 UTC | March 20 13:47 UTC | GitHub exfiltration |
| 209.159.147.239 | Interserver, Inc | March 20 01:48 UTC | March 23 20:04UTC | Secret validation with TruffleHog |
| 23.234.107.104 | Tzulo, inc | March 24 07:18 UTC | March 24 07:38 UTC | Secret validation with Trufflehog |
| 34.205.27.48 | Amazon.com, Inc | March 27 05:34 UTC | March 27 06:03 UTC | Secret validation with TruffleHog |
| 103.75.11.59 | Host Universal Pty Ltd | March 23, 07:32 UTC | N/A | https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise) |
Code Indicators
| Indicator | Type | Note |
|---|---|---|
| dev_remote_ea5Eu/test/v1 | branch name | Default branch name for “Nord Stream” |
User Agents
| Indicator | Note |
|---|---|
| Trufflehog | Secret validation |
| git/2.43.0 | GitHub exfiltrationGit version is over two years old |
| Boto3/1.42.73 md/Botocore#1.42.73 ua/2.1 os/linux#6.17.10+kali-amd64 md/arch#x86_64 lang/python#3.13.11 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.42.73 | Boto3 (Kali Linux) |
References
Kudelski Security: Investigating Two Variants of the Trivy Supply-Chain Compromise
