VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
Key Takeaways The VECT ransomware group has partnered with TeamPCP, a threat actor specializing in supply chain attacks, to reverse the traditional ransomware kill chain. TeamPCP compromises...
Key Takeaways
- The VECT ransomware group has partnered with TeamPCP, a threat actor specializing in supply chain attacks, to reverse the traditional ransomware kill chain.
- TeamPCP compromises open-source software packages to steal credentials on a massive scale, providing VECT with a pre-vetted pool of victims before any ransomware is deployed.
- This novel approach allows VECT to bypass initial reconnaissance, leveraging stolen credentials from compromised CI/CD pipelines and developer environments.
- Over 10,000 CI/CD pipelines have been affected, leading to the theft of more than 500,000 credentials, including cloud tokens and GitHub/GitLab access tokens.
- The FBI issued advisory IC3 FLASH-20260702-001 on July 2, 2026, highlighting the campaign’s broad impact and the persistent threat posed by these stolen credentials.
VECT and TeamPCP Reverse Ransomware Kill Chain
A new and concerning partnership has emerged in the cybercrime landscape, linking the VECT ransomware strain with the notorious threat group TeamPCP. This collaboration has inverted the conventional ransomware kill chain, enabling VECT to compromise thousands of organizations long before a ransom demand is ever issued. Unlike typical ransomware operations that first identify targets and then seek access, VECT’s operators acquire access credentials through TeamPCP’s sophisticated supply chain attacks, essentially purchasing their way into networks.
Table Of Content
This strategic shift means that victim selection for VECT occurs *after* initial access has been established and credentials have been stored in a shared archive. This pre-positioned access eliminates the need for VECT to conduct its own reconnaissance, drastically accelerating the attack timeline and expanding the potential victim pool. Analysts at Vectra AI highlighted this inverted approach, noting that it provides VECT with a ready-made inventory of targets.
TeamPCP’s Supply Chain Compromises
Between February and March 2026, TeamPCP actively tampered with four widely used open-source software packages critical to development teams. This campaign was detailed in an Vectra AI report shared with Cyber Security News (CSN), and further corroborated by the FBI’s IC3 FLASH-20260702-001 advisory, published on July 2, 2026. The advisory underscores the campaign’s focus on widespread credential harvesting rather than precise, targeted attacks.
One significant exploit involved CVE-2026-33634, which TeamPCP leveraged to modify 76 out of 77 versions of Trivy’s automated workflow, a popular container scanning tool. This was achieved by exploiting a stolen developer credential with write permissions to the repository. A similar tactic was employed against 35 versions of Checkmarx KICS, a tool designed for scanning infrastructure-as-code for misconfigurations, also resulting in the theft of automation credentials. Attackers then used these compromised credentials to create a covert repository named `docs-tpcp` within the victims’ GitHub accounts.
The most impactful compromise involved LiteLLM version 1.82.8, a Python library boasting approximately 95 million monthly downloads. TeamPCP inserted a malicious file, `litellm_init.pth`, into the installation package. Python automatically executes files with the `.pth` extension upon startup, granting the attackers persistent code execution capabilities on any system running the compromised LiteLLM version. Additionally, Telnyx Python SDK versions 4.87.1 and 4.87.2 were found to contain a sophisticated three-stage remote access trojan, giving attackers full control over infected machines.
TeamPCP is recognized for its prior involvement in the Shai-Hulud supply chain worm. This worm demonstrated an ability to spread through developer environments and CI/CD pipelines, generating valid signing certificates to bypass security checks. The Shai-Hulud campaign alone harvested over 500,000 credentials from more than 10,000 CI/CD pipelines, including cloud tokens, Kubernetes secrets, and GitHub/GitLab access tokens. The FBI has warned that credentials stolen in such campaigns remain a persistent threat, likely to be weaponized long after their initial compromise.
Why Detection Keeps Missing It
The effectiveness of this attack model stems from its ability to evade traditional detection mechanisms. The lateral movement between a compromised software package and a subsequent breach often appears as a series of legitimate, isolated actions across different log sources. For instance, a package manager logs an installation, a CI/CD pipeline records a workflow executed by a known service account, and a cloud provider logs an authenticated API call from a recognized identity. Individually, none of these actions trigger immediate suspicion.
This fragmented logging issue mirrors the challenges observed in the earlier Anodot-Snowflake supply chain incident, where stolen tokens from a SaaS integration provider were illicitly reused across customer environments without a clear trail connecting the dots. The VECT-TeamPCP operation replicates this pattern within the CI/CD layer. While Check Point Research’s technical analysis of VECT 2.0 revealed amateurish coding, including ineffective evasion routines and self-undoing obfuscation, the underlying infrastructure supporting this operation is remarkably sophisticated. VECT’s affiliate program is well-developed, featuring Monero escrow accounts, tiered commissions, and dedicated negotiators, publicly announced on BreachForums on April 16, 2026. This robust infrastructure, combined with TeamPCP’s extensive credential archive, effectively compensates for any technical shortcomings in the ransomware itself.
What You Should Do
Organizations should take immediate action to mitigate potential compromises from this campaign.
- Assume pipeline credentials issued before April 2026 are compromised if your environment utilized LiteLLM 1.82.8, any Trivy GitHub Action pinned to 0.76.x or 0.77.x tags, any affected Checkmarx KICS tag, or Telnyx SDK 4.87.1 or 4.87.2 between February and April 2026.
- Immediately rotate all potentially compromised credentials.
- Thoroughly audit logs for any suspicious pipeline calls to production environments during the identified compromise window (February to April 2026).
- Search installation directories on machines that ran LiteLLM 1.82.8 for the presence of `litellm_init.pth`.
- Inspect your GitHub repositories for a hidden repository named `docs-tpcp`, as its existence confirms TeamPCP used your credentials.
- Implement robust supply chain security practices, including rigorous vetting of open-source components and continuous monitoring of CI/CD pipelines for anomalous activity.
- Enhance multi-factor authentication (MFA) across all developer accounts and critical systems.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.