VECT and TeamPCP Reverse the Ransomware Kill Chain With Supply Chain Credential Theft


VECT and TeamPCP have created a dangerous ransomware model that starts with stolen software supply chain credentials instead of direct network intrusion. The result is a pool of exposed organizations that attackers can review before choosing which victims to extort.

The campaign changes the usual ransomware timeline. Instead of scanning for a target, breaking in, and then deploying ransomware, TeamPCP first compromises trusted developer tools and harvests credentials. VECT can then use that credential archive to select victims later, according to Vectra AI.

The partnership matters because many of the stolen secrets came from CI/CD pipelines and developer environments. These systems often hold cloud tokens, GitHub and GitLab tokens, Kubernetes secrets, SSH keys, and registry credentials that can open a path into production systems.

What makes the VECT and TeamPCP model different

TeamPCP focuses on supply chain compromise, while VECT provides ransomware deployment and extortion infrastructure. Sophos said the two groups announced a formal operational partnership in late March 2026 to combine credential harvesting with ransomware deployment.

This turns routine software use into a potential ransomware exposure. A developer may install a poisoned package or run a compromised GitHub Action, then the attacker collects secrets from the build environment. The victim may not see a ransom note for weeks or months.

The FBI FLASH advisory said TeamPCP actors targeted widely used developer and security tools, gained access to victim environments, and extracted sensitive data, including cloud access tokens, SSH keys, and Kubernetes secrets.

Traditional ransomware chainVECT and TeamPCP chain
Pick a victim firstCompromise trusted tools first
Scan for exposed systemsSteal credentials from CI/CD pipelines
Move through the networkUse valid cloud and developer tokens
Deploy ransomware after intrusionSelect victims after access already exists

Trusted security tools became the delivery path

Between late February and March 2026, TeamPCP compromised several tools used by developers, cloud teams, and security engineers. Unit 42 said the affected software included Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK.

The Trivy incident received the identifier CVE-2026-33634. The NVD record says a threat actor used compromised credentials to publish a malicious Trivy release, force-push most trivy-action version tags to credential-stealing malware, and replace setup-trivy tags with malicious commits.

LiteLLM also became a major risk because of its role in AI and LLM application stacks. Kaspersky reported that malicious LiteLLM versions 1.82.7 and 1.82.8 were published on PyPI on March 24, 2026, and contained credential-stealing malware.

  • Trivy GitHub Action tags were force-pushed to malicious commits.
  • Checkmarx KICS tags were also affected in the campaign.
  • LiteLLM versions 1.82.7 and 1.82.8 carried malicious code.
  • Telnyx Python SDK versions 4.87.1 and 4.87.2 were linked to a remote access trojan.
  • Some activity created hidden or unexpected repositories inside victim GitHub accounts.

Why stolen CI/CD credentials are hard to detect

The campaign creates a visibility problem for defenders. A package manager may only show a normal install. A CI/CD platform may record a routine workflow run from a known service account. A cloud platform may log an authenticated API call from a valid token.

None of those events may look suspicious alone. The pattern becomes clear only when teams connect package installation times, workflow activity, secret access, outbound traffic, and cloud API calls.

The same issue appears in the Vectra AI analysis, which warned that no single log may show the full path from a compromised package to production cloud access. That makes asset inventory and log correlation critical.

IndicatorWhy it matters
litellm_init.pthMay indicate a malicious LiteLLM installation path on affected systems
docs-tpcp repositoryMay show that TeamPCP used victim credentials to create a hidden GitHub repository
Trivy action tags in affected rangesMay indicate exposure to credential-stealing workflow code
Old cloud tokens issued before April 2026May remain useful to attackers if not rotated after exposure
Unexpected pipeline calls to productionMay show misuse of trusted automation identities

VECT adds ransomware risk, but its code has serious flaws

VECT increases the risk because it turns stolen credentials into a ransomware deployment path. However, the malware itself appears technically weak in some areas.

Check Point Research found that VECT 2.0 can permanently destroy large files rather than encrypt them correctly. The report said the ransomware discards decryption data for files above 128 KB, which can make full recovery impossible even for the attackers.

This means paying a ransom may not restore damaged files in affected cases. The surrounding criminal operation may be organized, but the ransomware code can still create irreversible data loss.

What organizations should check now

Organizations that used affected developer or security tools between February and April 2026 should treat relevant pipeline secrets as potentially compromised. The FBI guidance recommends credential rotation, secret scanning, CI/CD hardening, artifact integrity checks, and stronger logging across pipeline systems.

Security teams should search for LiteLLM compromise indicators, review GitHub organizations for unexpected repositories, and check whether affected Trivy or KICS tags ran in build pipelines. The Kaspersky analysis also highlights the need to review PyPI package use during the March 2026 exposure window.

The VECT operator announced the partnership publicly on BreachForums on April 16, 2026 (Source – Vectra AI)

For Trivy, teams should review CVE-2026-33634 carefully because the NVD entry links the incident to compromised credentials, malicious version tags, and a credential rotation gap that may have allowed continued attacker access.

  1. Identify every CI/CD job that used Trivy, KICS, LiteLLM, or Telnyx Python SDK during the exposure window.
  2. Rotate cloud tokens, registry credentials, GitHub tokens, GitLab tokens, SSH keys, and Kubernetes secrets used by those jobs.
  3. Search developer machines and build runners for litellm_init.pth and other unexpected Python startup files.
  4. Check GitHub organizations for unknown repositories, including docs-tpcp.
  5. Review cloud audit logs for unusual API calls from automation identities.
  6. Pin trusted package versions and require integrity checks before CI/CD jobs run external tools.

Why this campaign should change ransomware planning

The VECT and TeamPCP case shows that ransomware exposure can begin before a victim knows attackers are inside. A single poisoned tool can harvest secrets from many organizations, and those credentials can later become the starting point for extortion.

Unit 42 described the campaign as an attack on trusted security and developer infrastructure, not only on individual endpoints. That distinction matters because these tools often run with broad privileges in build and deployment systems.

Sophos said the convergence of large-scale credential theft, ransomware-as-a-service operations, and cybercrime forum mobilization lowers the barrier for other attackers. In practical terms, defenders need to secure the software pipeline as closely as they secure production servers.

Bottom line

VECT and TeamPCP did not invent supply chain attacks, but their partnership shows how stolen developer credentials can feed ransomware operations at scale. The kill chain now starts with trusted tools, build workflows, and automation identities.

The risk does not end when a poisoned package is removed. Old tokens, hidden repositories, persistent backdoors, and reused automation credentials can keep the door open. Since Check Point Research found that VECT can act like a destructive wiper for large files, organizations should focus on prevention, fast credential rotation, and reliable offline backups rather than assuming ransom payment can restore data.

FAQ

What are VECT and TeamPCP?

VECT is a ransomware operation, while TeamPCP is a threat group linked to software supply chain compromises and credential theft. Their partnership combines stolen CI/CD and cloud credentials with ransomware deployment infrastructure.

Why is the VECT and TeamPCP campaign unusual?

The campaign reverses the usual ransomware kill chain. TeamPCP first compromises trusted software tools and steals credentials. VECT can then choose victims from that credential archive instead of breaking into each target from scratch.

Which tools were affected in the TeamPCP campaign?

Reports linked the campaign to Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK. Organizations that used affected versions during the February to April 2026 window should review pipeline credentials and audit logs.

What should companies do after possible TeamPCP exposure?

Companies should rotate affected credentials, scan repositories and logs for exposed secrets, review CI/CD activity, search for indicators such as litellm_init.pth and docs-tpcp, and strengthen package integrity controls.

Can victims recover files encrypted by VECT ransomware?

Recovery may be difficult or impossible in some VECT 2.0 incidents because researchers found that the ransomware can destroy decryption data for files larger than 128 KB. Reliable offline backups remain the safest recovery path.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages