VECT and TeamPCP Reverse Ransomware Kill Chain with Supply Chain Credential Theft

A new ransomware strain known as VECT has emerged, employing an unconventional method to infiltrate organizations. Instead of the typical approach of scanning networks for vulnerabilities, VECT operators are leveraging stolen credentials obtained through compromised open-source software, thanks to a collaboration with the threat group TeamPCP.

Traditionally, ransomware groups identify a target, gain access, and then deploy their payload. However, VECT and TeamPCP have inverted this process. They first amass a repository of stolen credentials and then select victims from this pool, effectively bypassing the need for initial reconnaissance.

Between February and March 2026, TeamPCP tampered with four widely used open-source packages that development teams rely on daily. This strategic move allowed VECT to have a ready-made list of potential victims without the need for extensive network scanning.

Analysts at Vectra AI observed that the credential theft occurred well before any ransomware deployment, providing VECT with a substantial pool of pre-compromised targets. This method enables VECT to skip the reconnaissance phase entirely, selecting victims from an existing inventory of compromised credentials.

The FBI’s Internet Crime Complaint Center (IC3) issued an advisory on July 2, 2026, detailing a campaign that prioritizes scale over precision targeting. The advisory warns that stolen credentials can be weaponized long after the initial compromise, indicating a prolonged threat to organizations.

Exploitation of Open-Source Packages

TeamPCP exploited CVE-2026-33634 to overwrite 76 of 77 versions of Trivy’s automated workflow, a container scanning tool, using a stolen developer credential with write access to the repository. A similar technique was used to overwrite 35 versions of Checkmarx KICS, which scans infrastructure code for misconfigurations.

Attackers utilized the victim’s own automation credentials to create a hidden repository named docs-tpcp within the victim’s GitHub account. This allowed them to maintain persistence and control over the compromised environments.

The most damaging part of the campaign involved LiteLLM version 1.82.8, a library with approximately 95 million monthly downloads. TeamPCP added a file named litellm_init.pth to the installation. Files with the .pth extension are automatically executed by Python every time it starts, granting attackers persistent code execution on any machine running the package.

Additionally, Telnyx Python SDK versions 4.87.1 and 4.87.2 were found to carry a three-stage remote access trojan, providing attackers with control over infected machines.

Challenges in Detection

The movement between a poisoned package and a production breach often goes unnoticed in traditional security monitoring. This is because the initial compromise occurs within the development environment, making it challenging to detect until the ransomware is deployed.

Organizations are advised to implement stringent supply chain security measures, conduct regular audits of their development environments, and monitor for unusual activities to mitigate the risks associated with such sophisticated attacks.

This collaboration between VECT and TeamPCP underscores the evolving nature of cyber threats, highlighting the need for proactive and comprehensive security strategies to protect against supply chain attacks and credential theft.