TeamPCP Defaces Aqua Security’s Internal GitHub Org
ID: cb847c36-c72e-5ca6-a611-28d3a32a93ec
STIX ID: report--cb847c36-c72e-5ca6-a611-28d3a32a93ec
Feed Name: OpenSourceMalware Blog
Date Published: 2026-03-23
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
TeamPCP (aka DeadCatx3/PCPcat/ShellForce) used a stolen Argon-DevOps-Mgt personal access token — likely harvested via prior Trivy GitHub Actions tag poisoning — to execute an automated 2-minute defacement of Aqua Security's internal GitHub org (aquasec-com), renaming and publicizing 44 repositories and exposing internal source code, CI/CD configurations, and knowledge bases; the report includes timelines, IOCs (domains, C2 hosts, file paths, a hash), and remediation steps including immediate token revocation and secret rotation.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
