CyberSecurityNews

VECT and TeamPCP Reverse Ransomware Kill Chain With Supply Chain Credential Theft


A ransomware strain called VECT has formed an unusual supply chain partnership with a threat group known as TeamPCP, quietly exposing thousands of organizations to compromise before any ransom note appears.

VECT’s operators buy their way in using stolen credentials harvested from tampered open source software rather than scanning networks for weaknesses.

Most ransomware groups pick a target, gain access, then deploy their payload, meaning exposure depends on whether a group has decided to go after organizations like yours.

VECT and TeamPCP do not work this way. Target selection happens only after access already exists inside a shared credential archive.

Analysts at Vectra AI noted that the credential theft ran far ahead of any ransomware deployment, giving VECT a ready made pool of victims to choose from.

Between February and March 2026, TeamPCP tampered with four widely used open source packages that development teams rely on daily.

Vectra AI said in a report shared with Cyber Security News (CSN) that this arrangement lets VECT skip reconnaissance entirely and pick victims from an existing inventory.

The VECT operator announced the partnership publicly on BreachForums on April 16, 2026 (Source – Vectra AI)

The FBI’s IC3 FLASH-20260702-001 advisory, published July 2, 2026, documents a campaign built on scale rather than precision targeting.

Sophos Counter Threat Unit has confirmed at least one VECT deployment traced back to TeamPCP sourced credentials.

The FBI has warned stolen credentials will likely be weaponized long after the original compromise, meaning the danger does not fade with time.

VECT and TeamPCP Reverse Ransomware Kill Chain

TeamPCP exploited CVE-2026-33634 to overwrite 76 of 77 versions of Trivy’s automated workflow, a container scanning tool, using a stolen developer credential with write access to the repository.

A similar technique overwrote 35 versions of Checkmarx KICS, which scans infrastructure code for misconfigurations.

Attackers used the victim’s own automation credentials to quietly create a hidden repository called docs-tpcp inside the victim’s GitHub account.

The most damaging part of the campaign involved LiteLLM version 1.82.8, a library with roughly 95 million monthly downloads. TeamPCP added a file named litellm_init.pth to the installation.

Files with the .pth extension are automatically executed by Python every time it starts, giving attackers persistent code execution on any machine running the package.

Telnyx Python SDK versions 4.87.1 and 4.87.2 carried a three stage remote access trojan that hands attackers control of an infected machine.

TeamPCP is the same group behind the Shai-Hulud supply chain worm, which spreads through developer environments and CI/CD pipelines.

That worm later generated valid signing certificates to bypass verification checks, harvesting more than 500,000 credentials from over 10,000 CI/CD pipelines, including cloud tokens, Kubernetes secrets, and GitHub and GitLab access tokens.

Why Detection Keeps Missing It

Movement between a poisoned package and a production breach rarely shows up in any single log.

A package manager records an install, a pipeline records a workflow tied to a known service account, and a cloud provider records an authenticated API call from a recognized identity. None look suspicious alone.

This fragmented logging issue appeared in the earlier Anodot-Snowflake supply chain incident, where tokens stolen from a SaaS integration provider were reused across customer environments without anyone connecting the dots.

The VECT-TeamPCP case runs the same pattern through the CI/CD layer. Check Point Research’s technical analysis of VECT 2.0 found clear signs of amateur coding, including evasion routines that never run and an obfuscation layer that undoes itself.

The malware is unpolished, but the surrounding infrastructure is far more sophisticated. VECT’s affiliate program includes Monero escrow accounts, tiered commissions, and dedicated negotiators, tied into BreachForums integration announced publicly on April 16, 2026.

TeamPCP’s credential archive substitutes entirely for technical exploitation skill.

Security teams should treat pipeline credentials as compromised if their environment ran LiteLLM 1.82.8, any Trivy GitHub Action pinned to 0.76.x or 0.77.x tags, any affected Checkmarx KICS tag, or Telnyx SDK 4.87.1 or 4.87.2 between February and April 2026.

Search installation directories for litellm_init.pth on machines that ran LiteLLM during that window, and check GitHub repositories for a hidden repo named docs-tpcp, since its presence confirms TeamPCP used your own credentials against you.

Credentials issued before April 2026 in affected environments should be rotated, and audit logs reviewed for pipeline calls to production during that window.

TypeIndicatorDescription
File Namelitellm_init.pthMalicious .pth file added to LiteLLM v1.82.8 that auto-executes on every Python startup, giving TeamPCP persistent code execution 
Repository Namedocs-tpcpHidden GitHub repository created by TeamPCP using stolen victim automation credentials 
VulnerabilityCVE-2026-33634Flaw exploited to overwrite 76 of 77 Trivy versions with a malicious automated workflow 
Affected SoftwareTrivy GitHub Action v0.76.x and v0.77.x tagsTampered versions used to harvest developer and repository credentials 
Affected SoftwareCheckmarx KICS (35 tags)Tampered infrastructure-code scanning tool used to steal automation credentials 
Affected SoftwareLiteLLM v1.82.8Poisoned software library, roughly 95 million monthly downloads, carrying the litellm_init.pth payload 
Affected SoftwareTelnyx Python SDK v4.87.1, v4.87.2Versions bundled with a three-stage remote access trojan 
Advisory IDFBI IC3 FLASH-20260702-001Official advisory documenting the TeamPCP credential theft campaign, published July 2, 2026 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.



Source link