Summary:
The Vect ransomware group has begun publishing victim data obtained from the March 2026 TeamPCP Trivy supply chain compromise, confirming that a campaign affecting more than 1,000 enterprise software-as-a-service (SaaS) environments has escalated from credential theft and espionage into active double-extortion ransomware operations. Further victim listings are expected.
On 15 April 2026, Vect listed its first known victim—a property-management technology company—claiming exfiltration of approximately four million emails and 700 GB of data from TeamPCP’s Trivy campaign. This listing confirms that the Vect-TeamPCP partnership is operational and marks an escalation leveraging the TeamPCP supply chain breach.
The breadth of exposure stems from the pipeline-level access that made the initial compromise so effective. are believed to have been affected. Trivy, Checkmarx KICS, LiteLLM, or the Telnyx SDK were each positioned within the development and deployment workflows in ways that gave the attacker access to credentials at scale. Any organization that ran affected versions of these tools during March 2026 should treat all pipeline-accessible credentials as compromised and take immediate remediation steps.
Background:
TeamPCP first appeared in late December 2025 as a group focused on exploiting misconfigured Docker APIs and Kubernetes clusters in cloud environments. The group also operates under several forum personas, including DeadCatx3, PCPcat, Persy_PCP, ShellForce, and CipherForce. The group’s activity escalated in March 2026, when it launched a multi-stage supply chain operation that poisoned several widely-used open-source security and developer tools across five package and distribution ecosystems: GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX.
Vect is a ransomware-as-a-service (RaaS) operation that began recruiting affiliates on Russian-language cybercrime forums in late December 2025 and started claiming victims in early January 2026. Before joining forces with TeamPCP, Vect had posted approximately 23 victims on its leak site, primarily in Brazil, the United States, South Africa, and India, spanning manufacturing, healthcare, education, IT, and energy.
In late March 2026, Vect posted on a hacker forum announcing an alliance with TeamPCP. The post identified TeamPCP as the group responsible for the Trivy and LiteLLM supply chain breaches and declared Vect’s intent to pursue ransomware operations against every organization compromised during those campaigns. The announcement also offered every BreachForums member their own personal Vect affiliation key for immediate activation, dramatically expanding the pool of potential downstream attackers.
The Trivy Compromise
The operation unfolded in two phases. TeamPCP gained initial access on 27 February 2026 by exploiting a misconfigured pull_request_target workflow to steal a Personal Access Token (PAT) belonging to Aqua Security’s aqua-bot service account. Aqua detected the intrusion and attempted to rotate the compromised credentials, but the rotation was incomplete, leaving the attackers with enough residual access to return.
On 19 March, TeamPCP launched a coordinated multi-channel attack that resulted in CVE-2026-33634, a supply chain compromise affecting the official Trivy distribution infrastructure:
- Force-pushed malicious code to 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy;
- Published a weaponized Trivy binary (v0.69.4) to GitHub Releases, Docker Hub, GHCR, ECR Public, and deb/rpm repositories;
- Deployed “TeamPCP Cloud Stealer”, a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner, swept SSH keys, cloud provider credentials, and Kubernetes secrets, then encrypted and exfiltrated the collected data using AES-256 and RSA-4096 to attacker-controlled servers.
If the primary command-and-control channel failed, the malware fell back to creating a repository called tpcp-docs inside the victim’s own GitHub organization and storing stolen secrets there. The poisoned artifacts remained available for approximately 3–12 hours before Aqua Security pulled them, varying by distribution channel.
TeamPCP then used the stolen credentials to execute a rapid chain of follow-on compromises across three additional tools:
- Checkmarx KICS (21 March): Stolen GitHub PATs were used to force-push backdoored commits across all 35 version tags of the KICS GitHub Action. Stolen data was sent to checkmarx[.]zone, a typosquatted domain designed to blend with legitimate Checkmarx infrastructure.
- BerriAI LiteLLM—PyPI (23 March): Poisoned versions 1.82.7 and 1.82.8 appeared on PyPI. Version 1.82.8 introduced a particularly dangerous technique: it dropped a .pth file (litellm_init.pth) that Python automatically processes at startup, causing the malware to execute on every Python process launched on the host—regardless of whether LiteLLM was imported in code.
- Telnyx SDK—PyPI (27 March): The official Telnyx Python package was replaced with a version containing a three-stage RAT that communicated with an attacker-controlled server at 83[.]142[.]209[.]203.
Mitigations:
Even organizations with continuous scanning pipelines were exposed in this campaign. Trivy’s elevated privileges meant that scanning frequency offered little protection once the compromised version was in use. After immediately disabling Trivy, Halcyon completed remediation of our Trivy deployment and found no evidence of exfiltration affecting Halcyon or customer data. The steps we took are detailed below, followed by additional guidance for organizations using Checkmarx KICS, LiteLLM, and Telnyx SDK:
References:
Source Summary
This alert is based on information from dark web monitoring, the group’s original posts, leak site observations, and published threat intelligence. Assessments may be revised as additional evidence becomes available.
The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.
Click Here For The Original Source.
