A ransomware strain known as VECT has formed an unusual supply chain partnership with the threat group TeamPCP. This collaboration has led to the quiet exposure of thousands of organizations to potential compromise before any ransom note is even delivered. Unlike typical ransomware operations that scan networks for vulnerabilities, VECT’s operators gain initial access by utilizing stolen credentials. These credentials are often harvested from compromised open-source software, representing a significant shift in attack vectors. This method allows VECT to bypass traditional network reconnaissance, leading to a more stealthy and widespread initial compromise.
The Reversed Ransomware Kill Chain
The typical ransomware kill chain involves target selection, gaining access, and then deploying the payload. However, VECT and TeamPCP operate in reverse. Target selection occurs only after access has already been established within a shared credential archive. This approach allows them to build a ready-made inventory of potential victims, bypassing the reconnaissance phase entirely.
Supply Chain Compromise by TeamPCP
Between February and March 2026, TeamPCP actively tampered with four widely used open-source packages. These packages are essential tools relied upon daily by development teams. This supply chain compromise is a critical aspect of their operation, allowing them to inject malicious code into legitimate software distribution channels. The FBI’s IC3 FLASH-20260702-001 advisory highlights this campaign’s reliance on scale rather than precision targeting.
A particularly damaging aspect involved LiteLLM version 1.82.8, a library with approximately 95 million monthly downloads. TeamPCP added a file named litellm_init.pth to the installation package. Files with the .pth extension are automatically executed by Python upon startup. This technique provides attackers with persistent code execution capabilities on any machine that runs the compromised package.
The Telnyx Python SDK, specifically versions 4.87.1 and 4.87.2, also carried a three-stage remote access trojan. This malware grants attackers control over infected machines. TeamPCP is recognized as the same group responsible for the Shai-Hulud supply chain worm. This worm spreads through developer environments and CI/CD pipelines, harvesting credentials and potentially generating valid signing certificates to bypass verification checks. This resulted in the compromise of over 500,000 credentials from more than 10,000 CI/CD pipelines, including cloud tokens, Kubernetes secrets, and GitHub/GitLab access tokens.
Technical Exploitation and Credential Theft
TeamPCP exploited CVE-2026-33634 to overwrite 76 out of 77 versions of Trivy’s automated workflow. Trivy is a container scanning tool. This was achieved using a stolen developer credential that possessed write access to the repository. A similar technique was employed against Checkmarx KICS, a tool that scans infrastructure code for misconfigurations, impacting 35 of its versions.
Attackers leveraged the victim’s own automation credentials to create a hidden repository named docs-tpcp within the victim’s GitHub account. The intelligence gathered indicates that movement between a poisoned package and a subsequent production breach often goes unnoticed in individual logs. A package manager might record an installation, a pipeline might log a workflow tied to a service account, and a cloud provider might record an authenticated API call. Individually, none of these events appear suspicious, making detection difficult.
This fragmented logging pattern mirrors previous incidents, such as the Anodot-Snowflake supply chain attack, where compromised tokens from a SaaS integration provider were reused across multiple customer environments without a unified detection strategy. The VECT-TeamPCP case extends this pattern to the CI/CD layer.
VECT’s Operations and Infrastructure
VECT’s operations are characterized by an affiliate program that includes Monero escrow accounts, tiered commissions, and dedicated negotiators. This program was publicly integrated with BreachForums on April 16, 2026. Crucially, TeamPCP’s credential archive effectively substitutes for traditional technical exploitation skills. Their sophisticated surrounding infrastructure contrasts with the amateur coding observed in some of VECT’s malware, which includes ineffective evasion routines and self-undoing obfuscation layers.
The malware, while unpolished, operates within a highly developed infrastructure. The affiliate program details, including the use of Monero for escrow and commissions, suggest a structured and financially motivated operation. The integration with BreachForums further solidifies its place within the broader cybercriminal ecosystem.
Indicators of Compromise (IOCs)
Organizations that ran LiteLLM version 1.82.8, Trivy GitHub Actions pinned to 0.76.x or 0.77.x tags, affected Checkmarx KICS tags, or Telnyx SDK versions 4.87.1 or 4.87.2 between February and April 2026 should treat their pipeline credentials as potentially compromised.
- Compromised Software Versions:
- LiteLLM versions 1.82.8
- Trivy GitHub Action versions pinned to 0.76.x or 0.77.x tags
- Affected Checkmarx KICS tags
- Telnyx Python SDK versions 4.87.1 and 4.87.2
- Malicious File Indicator:
litellm_init.pthfile within LiteLLM installations. - Repository Indicators: Hidden GitHub repository named
docs-tpcpwithin victim environments. - Timing Window: Incidents occurring between February and April 2026.
Detection and Mitigation Strategies
Security teams should proactively search for the litellm_init.pth file in installation directories on affected systems. Reviewing GitHub repositories for the presence of a hidden docs-tpcp repository is also recommended, as its existence confirms that TeamPCP may have leveraged internal credentials against the organization.
Credentials issued prior to April 2026 within affected environments should be rotated immediately. Audit logs should be thoroughly reviewed for any suspicious pipeline calls to production environments during the identified timeframe. The FBI has emphasized that stolen credentials can remain a threat long after the initial compromise, meaning the risk does not diminish over time.
Given the sophisticated nature of supply chain attacks and the challenges in correlating disparate log entries, a robust security posture is essential. This includes continuous monitoring of CI/CD pipelines, strict access controls for repositories, and prompt rotation of all credentials, especially those used by automated systems and service accounts. Integrating live threat intelligence feeds can provide critical context and early warnings for emerging threats and attack patterns, aiding in the timely detection and prevention of sophisticated incidents that can lead to significant financial loss and operational disruption. For up-to-date threat intelligence, resources like those provided by CISA or specialized security research blogs are invaluable.










