Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cloud-credentials (2 articles)Clear

FBI warns TeamPCP poisons trusted developer tools to steal cloud credentials

The FBI has issued an alert about TeamPCP, a criminal group that compromises the developer and security tools organizations trust inside their build pipelines to steal cloud credentials at scale. Rather than targeting end users, TeamPCP injects malicious code into legitimate software such as the Trivy and KICS scanners and the LiteLLM library, then pushes trojanized updates that continuous integration systems pull in automatically. Its malware harvests AWS, Google Cloud, and Azure tokens, Kubernetes service-account credentials, and more. One technique the FBI highlights is taking over npm maintainer accounts by re-registering the maintainer's long-expired recovery email domain, then using password reset to publish malicious package versions.

Check
Check whether your build pipelines pulled trojanized versions of tools like Trivy, KICS, or LiteLLM, review the FBI's indicators, and audit whether any package maintainer accounts use expired recovery email domains.
Affected
Organizations whose CI/CD pipelines automatically pull developer and security tools, and maintainers whose npm recovery email domains have lapsed; TeamPCP uses these paths to steal cloud, Kubernetes, and registry credentials.
Fix
Pin GitHub Actions to commit hashes, rotate CI/CD secrets and cloud credentials, scope publishing tokens and enforce least privilege, require phishing-resistant MFA on publishing accounts, and delay installing brand-new package versions.

Djinn stealer harvests cloud and AI credentials through SimpleHelp RMM flaw

A new information stealer called Djinn is being used to grab cloud and AI service credentials, Dark Reading reports. Attackers deliver it by exploiting CVE-2026-48558, a critical authentication-bypass flaw in the SimpleHelp remote-management tool, then use Djinn to target the credentials that link developer and administrator environments to broader enterprise systems. The focus on cloud and AI secrets reflects where valuable access now lives: API keys and tokens for cloud platforms and AI services can unlock far more than a single machine. Organizations that run SimpleHelp, especially unpatched instances, are the immediate exposure point for this credential theft.

Check
Confirm SimpleHelp servers are patched against CVE-2026-48558, and review developer and admin systems for credential theft and any unexpected use of cloud or AI service API keys and tokens.
Affected
Organizations running SimpleHelp remote-management software vulnerable to CVE-2026-48558; Djinn specifically hunts the cloud and AI service credentials that bridge developer and admin environments to wider enterprise systems.
Fix
Patch SimpleHelp immediately, rotate cloud and AI service credentials that may have been exposed, enforce least privilege and short-lived tokens, and monitor for unusual API key usage.