Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild

Wiz CIRT and Research describe an active supply‑chain campaign by "TeamPCP" that deployed credential‑stealing malware in multiple open‑source projects (Trivy, KICS, LiteLLM, Telnyx), then rapidly validated stolen secrets and used them for AWS discovery, GitHub repository exfiltration, container execution, and bulk data theft; the report provides observed TTPs, IPs/user‑agents and detection/remediation guidance.