logo

TeamPCP Defaces Aqua Security’s Internal GitHub Org

ID: cb847c36-c72e-5ca6-a611-28d3a32a93ec

STIX ID: report--cb847c36-c72e-5ca6-a611-28d3a32a93ec

Feed Name: OpenSourceMalware Blog

Threat Score
88/100

Date Published: 2026-03-23

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

TeamPCP (aka DeadCatx3/PCPcat/ShellForce) used a stolen Argon-DevOps-Mgt personal access token — likely harvested via prior Trivy GitHub Actions tag poisoning — to execute an automated 2-minute defacement of Aqua Security's internal GitHub org (aquasec-com), renaming and publicizing 44 repositories and exposing internal source code, CI/CD configurations, and knowledge bases; the report includes timelines, IOCs (domains, C2 hosts, file paths, a hash), and remediation steps including immediate token revocation and secret rotation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.