"The stealer, referred to as 'TeamPCP Cloud stealer,' is designed to steal credentials and secrets related to SSH keys, Git, Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Kubernetes, Docker, .env files, databases, and VPNs."
"The new version creates a 'docs-tpcp' repository using the victim's GITHUB_TOKEN to stage the stolen data as a backup method if the exfiltration to the server fails."
"The use of vendor-specific typosquat domains for each poisoned action is a deliberate deception technique, making it difficult for analysts to detect malicious activity."
TeamPCP has compromised two GitHub Actions workflows maintained by Checkmarx, utilizing credential-stealing malware similar to that used in the Trivy supply chain attack. The malware targets various credentials, including those for AWS, Google Cloud, and CI/CD configurations. The stolen data is exfiltrated to a specific domain in an encrypted format. A new repository is created using the victim's GITHUB_TOKEN to back up stolen data. The use of typosquat domains for deception is a noted tactic by the threat actors.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]