BLOG

TeamPCP Defaces Aqua Security’s Internal GitHub Org

TeamPCP compromised the aquasec-com GitHub organization, renaming all 44 repositories and exposing internal source code, CI/CD configs, and knowledge bases.

By c0a15726-c5b1-4b0d-85e6-fe15553df9e2 ·

TeamPCP Defaces Aqua Security’s Internal GitHub Org

The OpenSourceMalware team has identified an active compromise of the aquasec-com GitHub organization — Aqua Security's internal org for proprietary code. The threat actor TeamPCP (aka DeadCatx3, PCPcat, ShellForce) defaced all 44 repositories in a scripted 2-minute burst, renaming every repo with a tpcp-docs- prefix and setting all descriptions to "TeamPCP Owns Aqua Security." Our forensic analysis of the GitHub Events API points to a compromised service account token — likely stolen during TeamPCP's prior Trivy GitHub Actions compromise — as the attack vector.

This is not the first time TeamPCP has targeted Aqua Security. It's the latest escalation from a threat actor that has been building capability across the cloud-native ecosystem for months.

TL;DR

  • Threat Actor: TeamPCP (aka DeadCatx3, PCPcat, ShellForce, CanisterWorm)

  • Target: aquasec-com GitHub organization (Aqua Security's internal/private org)

  • Impact: 44 internal repos defaced, renamed, and exposed publicly — including source code for Tracee, internal Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases

  • Attack Vector: Compromised Argon-DevOps-Mgt service account token (high confidence)

  • Key Finding: The threat actor tested the stolen token 7 hours before the defacement by creating and deleting a ghost branch on aquasecurity/trivy-plugin-aqua — the public Aqua Security org is also at risk

Discovery

On March 22, 2026, we observed all 44 repositories in the aquasec-com GitHub organization had been simultaneously renamed and defaced. The org profile at github.com/orgs/aquasec-com showed every repo prefixed with tpcp-docs- and carrying the description "TeamPCP Owns Aqua Security."

The aquasec-com org (GitHub ID 203123164, created 2025-03-13) is distinct from Aqua Security's well-known open-source org aquasecurity (ID 12783832, created 2015-06-07, 219 public repos). The compromised org appears to be their internal org for proprietary code — making this exposure particularly damaging.

The Defacement: A 2-Minute Automated Blitz

Using the GitHub Events API and repo metadata, we reconstructed the exact timeline. All 44 repos were modified between 20:31:07 UTC and 20:32:26 UTC — a ~2-minute window that confirms automated scripting via the GitHub API:

Time (UTC)

Renamed Repo

Original Name

20:31:07

tpcp-docs-aqua-deployer

aqua-deployer

20:31:15

tpcp-docs-tracee

tracee

20:31:17

tpcp-docs-aqua-trivy

aqua-trivy

20:31:24

tpcp-docs-supply-chain-lambdas

supply-chain-lambdas

20:31:53

tpcp-docs-cicd

cicd

20:32:05

tpcp-docs-tracee-detectors

tracee-detectors

20:32:14

tpcp-docs-aquai

aquai

20:32:20

tpcp-docs-kb-personal-yaniv

kb-personal-yaniv

20:32:24

tpcp-docs-kube-hunter

kube-hunter

...

(44 repos total)

...

Every repo received the description: "TeamPCP Owns Aqua Security."

The attack was trivially a loop of PATCH /repos/{org}/{repo} calls with the new name and description. GitHub's public events API does not log repo rename or description change operations, making the defacement invisible in events — only the updated_at timestamps on each repo betray the exact timing.

Ground Zero: The Argon-DevOps-Mgt Service Account

Our forensic analysis identified Argon-DevOps-Mgt as the high-confidence compromised account. This is a service/bot account (GitHub ID 139343333, created 2023-07-12) with a critical property: it bridges both GitHub orgs.

Argon-DevOps-Mgt Account

Cross-Org Admin Access

  • `aquasec-com` org: 43 PublicEvent operations over 1.5 years (making repos public requires admin access)

  • `aquasecurity` org: Creating releases (v0.217.1, v0.218.0, v0.218.1) and triggering workflows on trivy-plugin-aqua

One compromised token for this account gives the attacker write/admin access to both organizations.

The Ghost Branch: Token Testing at 13:24 UTC

Seven hours before the defacement, at 13:24:25 UTC, the Argon-DevOps-Mgt account created a branch named update-plugin-links-v0.218.2 on aquasecurity/trivy-plugin-aqua and deleted it at the exact same second (GitHub event IDs 9676884051 and 9676884079).

This is anomalous for three reasons:

  1. No v0.218.2 release or tag exists — only v0.218.0 and v0.218.1

  2. No workflow run was triggered — the established pattern for this account (confirmed across v0.217.1, v0.218.0, v0.218.1) is that branch creation triggers a create pr workflow. No such run exists for v0.218.2

  3. The branch name follows the account's naming convention — the threat actor mimicked the expected update-plugin-links-vX.Y.Z pattern, suggesting they studied the account's behavior before acting

This is consistent with a threat actor testing a stolen token's capabilities — creating a branch to confirm write access, then immediately deleting it to minimize detection, before proceeding with the main attack 7 hours later.

Why This Account?

  • Zero followers, zero public repos, no bio, no social links — a pure service account

  • Uses pusher_type: "user" (not a GitHub App), indicating a PAT-based authentication

  • Service accounts typically use long-lived Personal Access Tokens without MFA

  • The account triggers CI workflows on trivy-plugin-aqua — its token was present in CI runner environments

The Kill Chain: From Trivy Compromise to Org Defacement

TeamPCP has been systematically targeting the Aqua Security ecosystem. The credential theft chain is:

Stage 1: Trivy GitHub Actions Tag Poisoning (documented by Socket.dev)

  • TeamPCP compromised Trivy GitHub Actions tags, injecting a credential harvester

  • The harvester (self-identified as "TeamPCP Cloud stealer" in its source) systematically scraped CI runners for GitHub tokens, SSH keys, cloud credentials, and environment variables

Stage 2: Token Harvesting

  • The Argon-DevOps-Mgt service account's PAT was likely captured from a CI runner during Stage 1

  • As a service account that triggers workflows on trivy-plugin-aqua, its token was present in the runner environment

Stage 3: Reconnaissance (March 22, 13:24 UTC)

  • Threat actor tested the token by creating and deleting a branch on aquasecurity/trivy-plugin-aqua

  • Confirmed write access to the aquasecurity org

Stage 4: Enumeration and Scripting (~13:25–20:30 UTC)

  • Threat actor enumerated repos in the aquasec-com org via the API

  • Prepared a defacement script to rename all repos and change descriptions

Stage 5: Defacement (March 22, 20:31 UTC)

  • Executed automated API calls to rename all 44 repos with tpcp-docs- prefix

  • Set all descriptions to "TeamPCP Owns Aqua Security."

  • Completed in under 2 minutes

What Was Exposed

The 44 internal repos span Aqua Security's entire engineering organization:

Core Security Products:

  • tracee — Runtime security engine (private fork with internal features)

  • tracee-detectors — Detection rules and test automation

  • aqua-trivy — Internal Trivy customization

  • kube-hunter — Kubernetes penetration testing tool

  • aquai — AI product (with GitHub Pages deployment)

Infrastructure & CI/CD:

  • cicd — CI/CD pipeline configurations

  • infra-provisioner — Infrastructure provisioning (Terraform, GKE)

  • supply-chain-lambdas — AWS Lambda functions

  • arc / arc-aquasec-com — Actions Runner Controller configs

  • rhel-eks-ami — Custom AMI builds

Internal Tooling:

  • aqua-react — Frontend UI application

  • go-utils / cnapp-go-utils — Shared Go libraries with proto definitions

  • .github-private — Shared GitHub Actions workflows with ECR login, deployment configs

Knowledge Bases:

  • kb-shared, kb-team-tracee, kb-group-runtime, kb-personal-yaniv, kb-projects

Any secrets, API keys, or credentials in these repos or their CI/CD configurations should be considered compromised.

Who is TeamPCP?

TeamPCP is a cloud-native threat actor that has been escalating in capability throughout 2025-2026:

Attribute

Detail

Aliases

DeadCatx3, PCPcat, ShellForce, CanisterWorm

Tracked By

Flare, Aikido Security, Socket.dev, The Hacker News, Maltrail

Known TTPs

Docker API exploitation, Kubernetes cluster compromise, supply chain poisoning, worm deployment, ransomware, cryptomining, Kubernetes wipers

Notable CVEs

CVE-2025-29927, CVE-2025-55182 (React2Shell)

C2 Infrastructure

ICP Canisters (first observed), Cloudflare Tunnels

Their progression shows increasing sophistication:

  1. Cloud exploitation — Misconfigured Docker APIs, Kubernetes, Redis, Ray dashboards

  2. Supply chain attacks — Trivy GitHub Actions tag compromise, NPM package compromise

  3. CanisterWorm — Self-propagating worm using ICP Canister for C2 (first-of-its-kind)

  4. Kubernetes wipers — Destructive payloads targeting Iran (reported by Aikido, March 22, 2026)

  5. Org-level compromise — This attack against aquasec-com

Indicators of Compromise (IOCs)

Domains

aquasecurtiy.org
scan.aquasecurtiy.org

C2 Infrastructure

tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
championships-peoples-point-cassette.trycloudflare.com
investigation-launches-hearings-copying.trycloudflare.com
souls-entire-defined-routes.trycloudflare.com

GitHub Artifacts

Organization: github.com/aquasec-com (compromised)
Defacement pattern: "tpcp-docs-" prefix on all repo names
Defacement message: "TeamPCP Owns Aqua Security."
Compromised account: Argon-DevOps-Mgt (GitHub ID 139343333)
Defacement timestamp: 2026-03-22T20:31:07Z to 2026-03-22T20:32:26Z
Token test timestamp: 2026-03-22T13:24:25Z (ghost branch on trivy-plugin-aqua)

File System Indicators

/tmp/pglog (CanisterWorm payload drop path)

VirusTotal

18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a

Recommendations

For Aqua Security:

  1. Immediately revoke all tokens/PATs for Argon-DevOps-Mgt and all service accounts

  2. Review the aquasec-com org audit log to confirm the compromised account and attacker IP

  3. Audit the aquasecurity public org — the same token has confirmed write access

  4. Rotate all secrets referenced in exposed repos (AWS keys, API tokens, LaunchDarkly keys, Jenkins credentials)

  5. Scan CI/CD runners for TeamPCP indicators (/tmp/pglog, ICP canister connections)

For the Community:

  1. If you depend on aquasecurity/trivy-plugin-aqua, verify recent releases were not tampered with

  2. Pin GitHub Actions to full commit SHAs, not tags

  3. Audit service account tokens — enforce short-lived tokens and least-privilege scoping

  4. Monitor for the IOCs listed above in your CI/CD environments

References

Conclusion

This compromise demonstrates the long tail of supply chain attacks. A credential harvested during the Trivy GitHub Actions compromise months ago was weaponized today to deface an entire internal GitHub organization. The Argon-DevOps-Mgt service account — a single bot account bridging two orgs with a long-lived PAT — was the weak link.

TeamPCP continues to escalate. From cloud exploitation to supply chain worms to Kubernetes wipers, they are building capability and targeting the security vendor ecosystem itself. The irony of a cloud security company being compromised by a cloud-native threat actor should not be lost on the industry.

If you encounter similar defacement patterns, compromised tokens, or TeamPCP indicators, please report them to OpenSourceMalware.com.

Stay safe out there.

Tags: #supply-chain #github #TeamPCP #aquasecurity #c2 #worm #ioc