Counter Threat Unit™ (CTU) researchers investigated two interconnected threat groups known as Vect and TeamPCP. The two groups announced a formal operational partnership in late March 2026 to combine TeamPCP’s credential harvesting and data theft capabilities with Vect’s ransomware deployment infrastructure in a widespread campaign involving supply chain attacks and the extortion of multiple organizations.
Vect evolution
The Vect ransomware-as-a-service (RaaS) operation first appeared on December 31, 2025, when an account operating under the group’s name posted an affiliate recruitment advertisement on Rehub, a prominent Russian-language cybercrime forum. Vect claimed its first victims in January 2026 and then launched Vect 2.0 one month later. The launch of the new version coincided with an affiliate recruitment effort, and Vect claimed on X (formerly Twitter) that they had recruited 60 affiliates, attacked 154 organizations, and received “tens of successful payments” within two months.
Vect has demonstrated a willingness to collaborate with other cybercriminals to expand operations. In March, the group announced partnerships with BreachForums and TeamPCP (see Figure 1). Despite declaring that the more than 300,000 BreachForums members would each receive a Vect affiliation key, the number who would actually launch ransomware attacks on Vect’s behalf would likely be substantially lower. TeamPCP (also known as PCPcat, ShellForce, and DeadCatx3) appears to be made up of individuals previously affiliated with The Com, a global confederation of primarily English-speaking cybercriminals. Two victims listed on the Vect data leak site were labeled as victims of the “LiteLLM/Trivy Campaign (TeamPCP).”

Figure 1: Vect announcing partnerships with BreachForums and TeamPCP
TeamPCP evolution
TeamPCP first gained notoriety in December 2025 in connection with the mass exploitation of the React2Shell vulnerability (CVE-2025-55182), a critical (CVSS of 10.0) pre-authentication remote code execution flaw in React Server Components. TeamPCP deployed a worm-driven campaign that leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers in conjunction with React2Shell exploitation. The campaign impacted organizations in Canada, Serbia, South Korea, the UAE, and the United States, with victims spanning technology, finance, healthcare, and government sectors. A notable operational signature during this phase was the use of outbound port 666 for almost all network activity.
From March through May 2026, TeamPCP made headlines for a series of high-profile supply chain attacks. Figure 2 shows a timeline of attributed attacks.

Figure 2: TeamPCP supply chain attacks from March through May 2026
The first of these attacks was on Trivy, an open-source vulnerability scanner that is made by Aqua Security and used by thousands of organizations worldwide. The threat actors reportedly gained a foothold in late February by stealing login credentials from Trivy’s development systems. Aqua Security discovered and attempted to mitigate that compromise on March 1, but the cleanup was incomplete and allowed the attackers to quietly retain access. On March 19, they struck at scale — simultaneously tampering with the core Trivy scanner program and its associated automation tools on GitHub and triggering the publication of a poisoned version of the software to official channels. Organizations that downloaded what appeared to be a legitimate security update were actually installing malware. The malicious version silently harvested passwords, cloud credentials, and other sensitive secrets from the systems it ran on, then transmitted that stolen data to attacker-controlled servers. It continued to perform its normal scanning functions to avoid suspicion. The attackers then used those stolen credentials to launch a self-propagating worm named CanisterWorm, which spread across dozens of widely used software packages. Developers or automated pipelines that installed an affected package inadvertently contributed to this spread. The Trivy team identified and removed the malicious components within hours, but a significant number of organizations were already impacted. In a Forbes interview, a member of TeamPCP confirmed that they had used AI agents to enhance their attack strategy. They claimed that they deployed an AI agent to socially engineer Aqua Security’s service account into providing GitHub access; however, they did not provide additional details.
Four days after the Trivy compromise, TeamPCP used credentials stolen during that initial attack to gain access to Checkmarx repositories. Checkmarx is one of the most widely used application security companies in the world. The incident affected two plugins distributed via the OpenVSX marketplace and two of Checkmarx’s GitHub Actions workflows (automated tools that run inside software development pipelines). The attackers pushed malicious commits to all 35 version tags of the Checkmarx Keeping Infrastructure as Code Secure (KICS) GitHub Action and poisoned version 2.3.28 of the AST GitHub Action, injecting a credential-stealing payload that third-party researchers determined was functionally identical to the malware used against Trivy. Stolen data was encrypted and exfiltrated to an attacker-controlled domain that mimicked Checkmarx’s infrastructure. If that primary channel failed, then the malware used the victim’s GitHub credentials to create a hidden repository within that organization’s GitHub account and upload the stolen data there. The exposure window was relatively short: the malicious GitHub Actions workflows were only available for less than four hours, and the malicious OpenVSX plugins were live for approximately 12 hours. But given the scale at which these tools are used across enterprise development environments, even a few hours were sufficient for significant exposure. Open-source password manager Bitwarden’s command-line interface (CLI) was also subsequently compromised as part of the Checkmarx intrusion, dramatically increasing the potential impact given Bitwarden’s tens of millions of users.
On March 24, TeamPCP pivoted to targeting PyPI publishing tokens that were likely harvested from the Trivy compromise. The group poisoned BerriAI’s LiteLLM Continuous Integration and Continuous Delivery/Deployment (CI/CD) pipeline to publish malicious versions (1.82.7 and 1.82.8) to PyPI. LiteLLM is an AI gateway library with approximately 96 million monthly downloads; it routes requests across LLM providers. The malicious packages contained credential-harvesting payloads and Kubernetes-oriented lateral movement logic. Version 1.82.8 included a file mechanism that triggered the payload automatically on Python interpreter startup, even without explicitly importing the package. The packages were live for approximately three hours before quarantine.
Following a similar pattern to the LiteLLM attack, TeamPCP published malicious versions of the Telnyx Python SDK (4.87.1 and 4.87.2) to PyPI on March 27. These versions introduced WAV audio steganography as a novel payload delivery mechanism with distinct Windows and Linux/macOS-specific execution paths, representing a further evolution of delivery technique within a single campaign.
TeamPCP partnered with established extortion groups to monetize what they had taken. The Lapsus$ group added Checkmarx to its leak site, claiming to have obtained source code, API keys, database credentials, and employee details. TeamPCP itself publicly boasted of plans to chain these compromises into ransomware campaigns. This threat materialized in early April when an AI startup confirmed it was among thousands of companies affected by the cascading attacks.
During this campaign, TeamPCP compromised four widely deployed security and AI tooling packages, propagated a worm across more than 48 npm packages, and impacted over 1,000 enterprise software-as-a-service (SaaS) environments. Approximately 300 GB of compressed credentials were exfiltrated, including an estimated 500,000 individual credential sets. On May 9, TeamPCP continued supply chain attacks by again targeting Checkmarx and publishing a malicious version of the Checkmarx Jenkins AST plugin. As part of this second intrusion, TeamPCP defaced the plugin’s GitHub repository, renaming it and updating the description to read “Checkmarx fails to rotate secrets again. with love – TeamPCP.”
Vect/TeamPCP partnership
The formal partnership between TeamPCP and Vect allows Vect to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply chain attacks. CTU™ researchers observed TeamPCP recruiting negotiators shortly after the Trivy compromise, suggesting the group anticipated a rapid move to monetization. Prior to the Vect partnership, TeamPCP was running another ransomware operation under the CipherForce brand. CipherForce listed six victims on its leak site in February 2026 and rebranded as a TeamPCP leak site in May (see Figure 3).

Figure 3: TeamPCP leak site
In April, Jumpsec described a critical implementation flaw in Vect ransomware that caused any file larger than 128KB to be permanently destroyed rather than encrypted. Vect responded via an X post that denied a problem existed; however, other researchers have also reported the same issue with the Vect ransomware binary. TeamPCP released a statement confirming that they had never used Vect encryption tools and only ever used their own CipherForce locker. The statement confirmed that TeamPCP was also in partnership with Lapsus$, specifically in relation to the Checkmarx incident. The Lapsus$ data leak site listed Checkmarx as a victim.
The Vect/TeamPCP alliance represents a meaningful shift in the ransomware threat landscape, even accounting for the technical shortcomings that undermine its operational effectiveness. The convergence of large-scale supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an unprecedented model of industrialized ransomware deployment that significantly lowers the barrier to entry for cybercrime. TeamPCP has proven an ability to repeatedly compromise trusted open-source tooling. At least one verified Vect ransomware deployment using TeamPCP-sourced credentials has been confirmed, meaning the pipeline from supply chain compromise to ransomware execution is operational. Critically, organizations impacted by Vect should not assume that a ransom payment will result in successful data restoration; the encryption flaws documented by third-party researchers mean that paying may simply result in permanent, irrecoverable data loss.
Recommendations and protections
Organizations that use open-source tools in their development workflows should maintain an up-to-date inventory to enable a prompt assessment of potential impact when a supply chain compromise is announced and to facilitate a quick response to mitigate the risk. Third-party software updates could be an attack vector, so organizations should verify the integrity of updates before deploying them across their environment.
The following Sophos protections relate to this threat:
- Troj/PyAgent-CA
- JS/Agent-BLZZ
- JS/Steal-EAP
- Linux/Agnt-HZ
