Vect and TeamPCP Cybercrime Groups Link for Ransomware Hits | #cybercrime | #infosec


Cybercrime
,
Fraud Management & Cybercrime
,
Next-Generation Technologies & Secure Development

Supply-Chain Victims Also at Risk From Poorly Coded, Data-Shredding Crypto-Locker

Image: Shutterstock

Cybercriminals behind a rash of software supply-chain attacks and known as TeamPCP have teamed up with a ransomware operation, warn researchers who say they’ve traced at least one crypto-locking incident to credentials stolen by the gang.

See Also: Know Thy Enemy: Threats to Cyber Resilience

TeamPCP specializes in supply-chain attacks against open-source software and is responsible for a run of self-propagating attacks instigated through poisoned uploads to JavaScript and Python software repositories. Close observers say the group has struggled to convert its intrusions into cash. That may change following an alliance with a newer ransomware-as-a-service operation called Vect. It has also collaborated with data-leak stalwart Lapsus$ to sell stolen data (see: GitHub Hacked, Internal Repositories Offered for Sale).

TeamPCP targets have included KICS, the Telnyx Python SDK and the Trivy open-source security scanning tool built by Aqua Security. In a cascading attack, the criminals used stolen Trivy credentials to push two Trojanized versions of the popular open-source Python library LiteLLM to the Python software repository PyPI. The packages were downloaded 47,000 times in 46 minutes before PyPI pulled them down.

Cybersecurity firm Sophos said TeamPCP, also known as PCPcat, ShellForce and DeadCatx3, appears to be comprised of former members of the Western, largely adolescent cybercrime collective known as The Com (see: Victims Are Rebuffing Ransomware Mass Data Theft Campaigns).

The group’s tactics prey on continuous integration and continuous development pipelines that automatically grab package updates, and include them in their new builds. That means its attacks spread quickly (see: Flurry of Supply-Chain Software Library Attacks).

Experts said the group’s recently announced partnership with Vect appears designed to help it more quickly monetize the access afforded by its supply-chain attacks. “The formal partnership between TeamPCP and Vect allows Vect to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply-chain attacks,” Sophos said.

“Together, we are ready to deploy ransomware across all affected companies that got hit by these attacks, and we won’t stop there,” Vect wrote on its data leak site. “We will pull off even bigger supply-chain operations. We will chain these compromises into devastating follow-on ransomware campaigns.”

Soon after the Trivy attack in March, Sophos researchers said they saw TeamPCP attempting to recruit negotiators, “suggesting the group anticipated a rapid move to monetization.”

Victims of the Trivy and LiteLLM campaign appear to include Cisco. Other known victims that lost code include cybersecurity firms Trellix and Checkmarx, which each suffered a GitHub code repository breach. Silicon Valley startup Mercor also told Fortune that it was “one of thousands of companies” affected by the LiteLLM attack.

On May 19, TeamPCP originally listed about 4,000 GitHub private repositories – GitHub confirmed 3,800 were stolen – on BreachForums, with a $50,000 price tag, according to a timeline published by threat intelligence firm Flare. Just two days later, the group pulled its listing and announced a partnership with Lapsus$ to sell the stolen data. Lapsus$ also listed data it claimed was stolen from Mercor. The criminals also listed claimed “source code, API keys, database credentials and employee details” from CheckMarx, while “TeamPCP itself publicly boasted of plans to chain these compromises into ransomware campaigns,” Sophos said.

Cybersecurity experts said the partnership likely reflect each groups attempting to focus on their core competencies.

“TeamPCP is the supply-chain attack expert, gaining initial access by poisoning open-source tools, malicious VS Code extensions and tampered npm/PyPI packages. But they have no darkweb platform and no buyer network. Lapsus$ is exactly the reverse: a mature leak site, buyer contacts and a full set of data-monetization channels. One handles the stealing, one handles the selling,” noted a May post to the Chinese-language ethical hacking site 77169, translated and shared by Flare.

Previously, TeamPCP had announced a partnership with the ransomware group CipherForce, designed “to publish information on breaches” unless victims paid a ransom, said Palo Alto Networks’ Unit 42 threat intelligence group in a March report.

But Sophos said CipherForce now appears to be run by TeamPCP itself.

Vect Promises Easy Affiliation

Ransomware groups typically only publicly name victims who don’t pay a ransom, which makes gauging their true victim count difficult.

Vect, in its March post to Breachforums.st announcing the partnership with TeamPCP, also announced a partnership with BreachForums, and promised it would make every one of its 300,000 users a potential business partner, or affiliate, in its ransomware-as-a-service operation.

BreachForums and TeamPCP appear to be interlinked. Threat intelligence firm Kela last month reported that the latest hacking forum calling itself BreachForums, founded in January after the FBI seized the last version in October 2025, is “currently owned by its co-creator ‘diencracked’ and the TeamPCP hacking group.” The other co-creator of this BreachForums and sometime Lapsus$ partner HasanBroker departed soon after the forum’s launch, due to a fallout with diencracked, Kela said.

Not all has been smooth sailing with TeamPCP’s partnerships. English cybersecurity firm JumpSec on April 28 reported that Vect’s encryptor appeared to be shoddily built, slow to encrypt and featured serious bugs. One particular flaw resulted in 75% of every file larger than 128 kilobytes being left unrecoverable, it said. Another flaw meant that files between 32 kilobytes and 128 kilobytes never got encrypted, making them easy to recover.

Check Point Research confirmed that those coding errors existed in each one of Vect’s Windows, Linux and ESXi variants, and likewise assessed the group’s crypto-locked malware as involving “amateur execution.”

Vect publicly dismissed the criticism, claiming its code worked perfectly. But Sophos said “TeamPCP released a statement confirming that they had never used Vect encryption tools and only ever used their own CipherForce locker.”

Given such uncertainty, “organizations impacted by Vect should not assume that a ransom payment will result in successful data restoration,” Sophos said.





Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW