This week's articles
TeamPCP: A coordinated supply chain campaign targeting security tools
Over the past few weeks, a threat group calling themselves "TeamPCP" ran a coordinated supply chain campaign targeting open-source security tools. It started with Trivy on March 19, when attackers pushed a malicious v0.69.4 release and force-pushed 75+ GitHub Action tags to compromised versions, turning the vulnerability scanner into a credential stealer that harvested secrets from CI/CD runner memory. Days later, the same group hit Checkmarx's KICS GitHub Action and OpenVSX extensions (March 23), followed by LiteLLM on PyPI (March 24). The malware used a consistent pattern across all targets: collect secrets from process memory, encrypt with AES-256-CBC + RSA-4096, and exfiltrate to typosquatted C2 domains. The group claims around 300GB of compressed credentials stolen. Multiple companies published their analysis of the campaign. Here is the full reading list: - Aqua Security: Official incident response from Trivy's maintainers
- Checkmarx: Official security update on KICS compromise
- Wiz: Technical analysis of the Trivy compromise
- Wiz: Analysis of the KICS GitHub Action attack
- Socket: Compromised Trivy Docker images
- Socket: Campaign overview across the OSS ecosystem
- StepSecurity: Second Trivy compromise and detection details
Locking down AWS principal tags with RCPs and SCPs
A post explaining how to use SCPs to restrict sensitive IAM actions to tagged principals, RCPs to block unauthorized "scp-*" session tags from external/non-tagger principals, and SCPs to protect the "tagger" role itself via CloudFormation StackSets.
Simulating Ransomware with AWS KMS
Post that demonstrates how attackers can abuse AWS KMS by importing malicious key material to encrypt RDS/EBS resources, then deleting the material to make data inaccessible without ransom payment.
#aws
#attack
|