VECT and TeamPCP Reverse the Ransomware Kill Chain With Supply Chain Credential Theft
VECT and TeamPCP have created a dangerous ransomware model that starts with stolen software supply chain credentials instead of direct network intrusion. The result is a pool of exposed organizations that attackers can review before choosing which victims to extort.
The campaign changes the usual ransomware timeline. Instead of scanning for a target, breaking in, and then deploying ransomware, TeamPCP first compromises trusted developer tools and harvests credentials. VECT can then use that credential archive to select victims later, according to Vectra AI.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The partnership matters because many of the stolen secrets came from CI/CD pipelines and developer environments. These systems often hold cloud tokens, GitHub and GitLab tokens, Kubernetes secrets, SSH keys, and registry credentials that can open a path into production systems.
What makes the VECT and TeamPCP model different
TeamPCP focuses on supply chain compromise, while VECT provides ransomware deployment and extortion infrastructure. Sophos said the two groups announced a formal operational partnership in late March 2026 to combine credential harvesting with ransomware deployment.
This turns routine software use into a potential ransomware exposure. A developer may install a poisoned package or run a compromised GitHub Action, then the attacker collects secrets from the build environment. The victim may not see a ransom note for weeks or months.
The FBI FLASH advisory said TeamPCP actors targeted widely used developer and security tools, gained access to victim environments, and extracted sensitive data, including cloud access tokens, SSH keys, and Kubernetes secrets.
| Traditional ransomware chain | VECT and TeamPCP chain |
|---|---|
| Pick a victim first | Compromise trusted tools first |
| Scan for exposed systems | Steal credentials from CI/CD pipelines |
| Move through the network | Use valid cloud and developer tokens |
| Deploy ransomware after intrusion | Select victims after access already exists |
Trusted security tools became the delivery path
Between late February and March 2026, TeamPCP compromised several tools used by developers, cloud teams, and security engineers. Unit 42 said the affected software included Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK.
The Trivy incident received the identifier CVE-2026-33634. The NVD record says a threat actor used compromised credentials to publish a malicious Trivy release, force-push most trivy-action version tags to credential-stealing malware, and replace setup-trivy tags with malicious commits.
LiteLLM also became a major risk because of its role in AI and LLM application stacks. Kaspersky reported that malicious LiteLLM versions 1.82.7 and 1.82.8 were published on PyPI on March 24, 2026, and contained credential-stealing malware.
- Trivy GitHub Action tags were force-pushed to malicious commits.
- Checkmarx KICS tags were also affected in the campaign.
- LiteLLM versions 1.82.7 and 1.82.8 carried malicious code.
- Telnyx Python SDK versions 4.87.1 and 4.87.2 were linked to a remote access trojan.
- Some activity created hidden or unexpected repositories inside victim GitHub accounts.
Why stolen CI/CD credentials are hard to detect
The campaign creates a visibility problem for defenders. A package manager may only show a normal install. A CI/CD platform may record a routine workflow run from a known service account. A cloud platform may log an authenticated API call from a valid token.
None of those events may look suspicious alone. The pattern becomes clear only when teams connect package installation times, workflow activity, secret access, outbound traffic, and cloud API calls.
The same issue appears in the Vectra AI analysis, which warned that no single log may show the full path from a compromised package to production cloud access. That makes asset inventory and log correlation critical.
| Indicator | Why it matters |
|---|---|
| litellm_init.pth | May indicate a malicious LiteLLM installation path on affected systems |
| docs-tpcp repository | May show that TeamPCP used victim credentials to create a hidden GitHub repository |
| Trivy action tags in affected ranges | May indicate exposure to credential-stealing workflow code |
| Old cloud tokens issued before April 2026 | May remain useful to attackers if not rotated after exposure |
| Unexpected pipeline calls to production | May show misuse of trusted automation identities |
VECT adds ransomware risk, but its code has serious flaws
VECT increases the risk because it turns stolen credentials into a ransomware deployment path. However, the malware itself appears technically weak in some areas.
Check Point Research found that VECT 2.0 can permanently destroy large files rather than encrypt them correctly. The report said the ransomware discards decryption data for files above 128 KB, which can make full recovery impossible even for the attackers.
This means paying a ransom may not restore damaged files in affected cases. The surrounding criminal operation may be organized, but the ransomware code can still create irreversible data loss.
What organizations should check now
Organizations that used affected developer or security tools between February and April 2026 should treat relevant pipeline secrets as potentially compromised. The FBI guidance recommends credential rotation, secret scanning, CI/CD hardening, artifact integrity checks, and stronger logging across pipeline systems.
Security teams should search for LiteLLM compromise indicators, review GitHub organizations for unexpected repositories, and check whether affected Trivy or KICS tags ran in build pipelines. The Kaspersky analysis also highlights the need to review PyPI package use during the March 2026 exposure window.

For Trivy, teams should review CVE-2026-33634 carefully because the NVD entry links the incident to compromised credentials, malicious version tags, and a credential rotation gap that may have allowed continued attacker access.
- Identify every CI/CD job that used Trivy, KICS, LiteLLM, or Telnyx Python SDK during the exposure window.
- Rotate cloud tokens, registry credentials, GitHub tokens, GitLab tokens, SSH keys, and Kubernetes secrets used by those jobs.
- Search developer machines and build runners for litellm_init.pth and other unexpected Python startup files.
- Check GitHub organizations for unknown repositories, including docs-tpcp.
- Review cloud audit logs for unusual API calls from automation identities.
- Pin trusted package versions and require integrity checks before CI/CD jobs run external tools.
Why this campaign should change ransomware planning
The VECT and TeamPCP case shows that ransomware exposure can begin before a victim knows attackers are inside. A single poisoned tool can harvest secrets from many organizations, and those credentials can later become the starting point for extortion.
Unit 42 described the campaign as an attack on trusted security and developer infrastructure, not only on individual endpoints. That distinction matters because these tools often run with broad privileges in build and deployment systems.
Sophos said the convergence of large-scale credential theft, ransomware-as-a-service operations, and cybercrime forum mobilization lowers the barrier for other attackers. In practical terms, defenders need to secure the software pipeline as closely as they secure production servers.
Bottom line
VECT and TeamPCP did not invent supply chain attacks, but their partnership shows how stolen developer credentials can feed ransomware operations at scale. The kill chain now starts with trusted tools, build workflows, and automation identities.
The risk does not end when a poisoned package is removed. Old tokens, hidden repositories, persistent backdoors, and reused automation credentials can keep the door open. Since Check Point Research found that VECT can act like a destructive wiper for large files, organizations should focus on prevention, fast credential rotation, and reliable offline backups rather than assuming ransom payment can restore data.
FAQ
VECT is a ransomware operation, while TeamPCP is a threat group linked to software supply chain compromises and credential theft. Their partnership combines stolen CI/CD and cloud credentials with ransomware deployment infrastructure.
The campaign reverses the usual ransomware kill chain. TeamPCP first compromises trusted software tools and steals credentials. VECT can then choose victims from that credential archive instead of breaking into each target from scratch.
Reports linked the campaign to Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK. Organizations that used affected versions during the February to April 2026 window should review pipeline credentials and audit logs.
Companies should rotate affected credentials, scan repositories and logs for exposed secrets, review CI/CD activity, search for indicators such as litellm_init.pth and docs-tpcp, and strengthen package integrity controls.
Recovery may be difficult or impossible in some VECT 2.0 incidents because researchers found that the ransomware can destroy decryption data for files larger than 128 KB. Reliable offline backups remain the safest recovery path.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages