Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/Threats/VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
Threats

VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft

Key Takeaways The VECT ransomware group has partnered with TeamPCP, a threat actor specializing in supply chain attacks, to reverse the traditional ransomware kill chain. TeamPCP compromises...

Jennifer sherman
Jennifer sherman
July 7, 2026 4 Min Read
2 0

Key Takeaways

  • The VECT ransomware group has partnered with TeamPCP, a threat actor specializing in supply chain attacks, to reverse the traditional ransomware kill chain.
  • TeamPCP compromises open-source software packages to steal credentials on a massive scale, providing VECT with a pre-vetted pool of victims before any ransomware is deployed.
  • This novel approach allows VECT to bypass initial reconnaissance, leveraging stolen credentials from compromised CI/CD pipelines and developer environments.
  • Over 10,000 CI/CD pipelines have been affected, leading to the theft of more than 500,000 credentials, including cloud tokens and GitHub/GitLab access tokens.
  • The FBI issued advisory IC3 FLASH-20260702-001 on July 2, 2026, highlighting the campaign’s broad impact and the persistent threat posed by these stolen credentials.

VECT and TeamPCP Reverse Ransomware Kill Chain

A new and concerning partnership has emerged in the cybercrime landscape, linking the VECT ransomware strain with the notorious threat group TeamPCP. This collaboration has inverted the conventional ransomware kill chain, enabling VECT to compromise thousands of organizations long before a ransom demand is ever issued. Unlike typical ransomware operations that first identify targets and then seek access, VECT’s operators acquire access credentials through TeamPCP’s sophisticated supply chain attacks, essentially purchasing their way into networks.

Table Of Content

  • Key Takeaways
  • VECT and TeamPCP Reverse Ransomware Kill Chain
  • TeamPCP’s Supply Chain Compromises
  • Why Detection Keeps Missing It
  • What You Should Do

This strategic shift means that victim selection for VECT occurs *after* initial access has been established and credentials have been stored in a shared archive. This pre-positioned access eliminates the need for VECT to conduct its own reconnaissance, drastically accelerating the attack timeline and expanding the potential victim pool. Analysts at Vectra AI highlighted this inverted approach, noting that it provides VECT with a ready-made inventory of targets.

TeamPCP’s Supply Chain Compromises

Between February and March 2026, TeamPCP actively tampered with four widely used open-source software packages critical to development teams. This campaign was detailed in an Vectra AI report shared with Cyber Security News (CSN), and further corroborated by the FBI’s IC3 FLASH-20260702-001 advisory, published on July 2, 2026. The advisory underscores the campaign’s focus on widespread credential harvesting rather than precise, targeted attacks.

One significant exploit involved CVE-2026-33634, which TeamPCP leveraged to modify 76 out of 77 versions of Trivy’s automated workflow, a popular container scanning tool. This was achieved by exploiting a stolen developer credential with write permissions to the repository. A similar tactic was employed against 35 versions of Checkmarx KICS, a tool designed for scanning infrastructure-as-code for misconfigurations, also resulting in the theft of automation credentials. Attackers then used these compromised credentials to create a covert repository named `docs-tpcp` within the victims’ GitHub accounts.

The most impactful compromise involved LiteLLM version 1.82.8, a Python library boasting approximately 95 million monthly downloads. TeamPCP inserted a malicious file, `litellm_init.pth`, into the installation package. Python automatically executes files with the `.pth` extension upon startup, granting the attackers persistent code execution capabilities on any system running the compromised LiteLLM version. Additionally, Telnyx Python SDK versions 4.87.1 and 4.87.2 were found to contain a sophisticated three-stage remote access trojan, giving attackers full control over infected machines.

TeamPCP is recognized for its prior involvement in the Shai-Hulud supply chain worm. This worm demonstrated an ability to spread through developer environments and CI/CD pipelines, generating valid signing certificates to bypass security checks. The Shai-Hulud campaign alone harvested over 500,000 credentials from more than 10,000 CI/CD pipelines, including cloud tokens, Kubernetes secrets, and GitHub/GitLab access tokens. The FBI has warned that credentials stolen in such campaigns remain a persistent threat, likely to be weaponized long after their initial compromise.

Why Detection Keeps Missing It

The effectiveness of this attack model stems from its ability to evade traditional detection mechanisms. The lateral movement between a compromised software package and a subsequent breach often appears as a series of legitimate, isolated actions across different log sources. For instance, a package manager logs an installation, a CI/CD pipeline records a workflow executed by a known service account, and a cloud provider logs an authenticated API call from a recognized identity. Individually, none of these actions trigger immediate suspicion.

This fragmented logging issue mirrors the challenges observed in the earlier Anodot-Snowflake supply chain incident, where stolen tokens from a SaaS integration provider were illicitly reused across customer environments without a clear trail connecting the dots. The VECT-TeamPCP operation replicates this pattern within the CI/CD layer. While Check Point Research’s technical analysis of VECT 2.0 revealed amateurish coding, including ineffective evasion routines and self-undoing obfuscation, the underlying infrastructure supporting this operation is remarkably sophisticated. VECT’s affiliate program is well-developed, featuring Monero escrow accounts, tiered commissions, and dedicated negotiators, publicly announced on BreachForums on April 16, 2026. This robust infrastructure, combined with TeamPCP’s extensive credential archive, effectively compensates for any technical shortcomings in the ransomware itself.

What You Should Do

Organizations should take immediate action to mitigate potential compromises from this campaign.

  • Assume pipeline credentials issued before April 2026 are compromised if your environment utilized LiteLLM 1.82.8, any Trivy GitHub Action pinned to 0.76.x or 0.77.x tags, any affected Checkmarx KICS tag, or Telnyx SDK 4.87.1 or 4.87.2 between February and April 2026.
  • Immediately rotate all potentially compromised credentials.
  • Thoroughly audit logs for any suspicious pipeline calls to production environments during the identified compromise window (February to April 2026).
  • Search installation directories on machines that ran LiteLLM 1.82.8 for the presence of `litellm_init.pth`.
  • Inspect your GitHub repositories for a hidden repository named `docs-tpcp`, as its existence confirms TeamPCP used your credentials.
  • Implement robust supply chain security practices, including rigorous vetting of open-source components and continuous monitoring of CI/CD pipelines for anomalous activity.
  • Enhance multi-factor authentication (MFA) across all developer accounts and critical systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitMalwareransomwareSecurityThreatVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical RCE Vulnerabilities in Microsoft Exchange Servers Expose 2,259 Orgs

Next Post

Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us