In a disturbing development within the realm of cybersecurity, TeamPCP has significantly undermined the stability of supply chains, laying the groundwork for VECT ransomware operations through the distribution of a vast cache of compromised continuous integration and continuous delivery (CI/CD) credentials. This revelation is pivotal, as it highlights an evolving threat landscape where organizations must rethink their strategies to gauge ransomware exposure accurately.
The modus operandi of TeamPCP starkly contrasts traditional victim selection methods. Instead of pre-designating targets, the group has compromised widely-utilized components such as Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK. By contaminating these essential packages, TeamPCP has ensured that any organization utilizing these tools or executing affected workflows unwittingly becomes part of the attack vector.
Exploiting vulnerabilities in key frameworks, TeamPCP managed to infiltrate Trivy’s automated workflow via a known vulnerability (CVE-2026-33634), which allowed the introduction of malicious code into nearly all published versions by leveraging a stolen maintainer credential. Similarly, this approach enabled TeamPCP to manipulate various workflow tags within Checkmarx KICS, while also implanting a persistent loader known as litellm_init.pth into LiteLLM v1.82.8. This implant takes advantage of Python’s automatic .pth execution mechanism upon startup, allowing ongoing code execution to persist across developer machines and continuous integration (CI) runners.
Through their tampering efforts with the Telnyx SDK, TeamPCP executed a sophisticated campaign that deployed a multi-stage remote access trojan in specific versions. Alarmingly, the group used credentials obtained from victim organizations to establish a hidden repository titled “docs-tpcp” within targeted GitHub organizations. This tactic cleverly disguised their intrusions as legitimate automation activity in audit logs, further complicating detection and response efforts for affected organizations.
Reports from Check Point Research and the FBI’s Internet Crime Complaint Center (IC3) corroborate these findings, demonstrating how TeamPCP has systemically weaponized trusted open-source packages and CI workflows. The organization has been able to harvest automation tokens, cloud API keys, and service credentials on an unprecedented scale. These pilfered CI/CD and cloud tokens—including credentials from AWS, Azure, GCP, Kubernetes secrets, container registry credentials, as well as GitHub and GitLab tokens—are not merely endpoints for exploitation but represent a substantial inventory for future attacks.
By March 2026, TeamPCP amassed an astonishing collection of over 500,000 credentials from more than 10,000 pipelines. In a chilling twist, VECT operators used this treasure trove of credentials to select their targets after having gained initial access, indicating a significant paradigm shift in attack strategy and execution.
The disclosure of the partnership between TeamPCP and VECT on BreachForums on April 16, 2026, sheds light on the extensive implications of this alliance. Sophos CTU has confirmed the deployment of VECT ransomware using credentials sourced from TeamPCP, further amplifying the threat landscape for organizations at risk.
The FBI has also issued warnings that these credentials will be weaponized long after their initial compromise, indicating that affected organizations will remain vulnerable until they rotate and validate all keys and tokens. The urgency of this situation is compounded by research from Check Point, which uncovered a critical flaw in VECT 2.0’s encryption mechanism—particularly damaging for files larger than 128 KB. The flaw reveals inadequate cryptographic handling, allowing only the final value to be noted while the initial portions of large files become irrecoverable, even if a decryption key is provided.
Moreover, defenders are now faced with a challenging fragmented-detection landscape. Historical site records, workflow executions, and cloud audit logs present legitimate events linked to known service accounts or package installations; yet, no singular log entry encapsulates the entire attack pathway. This fragmentation draws parallels to previous supply-chain incidents, where breached tokens propagated laterally through authorized systems without raising holistic alarms.
To effectively address this crisis, organizations need to undertake pipeline-centric investigations. This involves searching for litellm_init.pth on developer and CI runners, scrutinizing Trivy and Checkmarx KICS action pins spanning the February-March window, inspecting specific versions of the Telnyx SDK, and tracing any docs-tpcp repositories positioned within GitHub organizations.
In the immediate term, it is imperative for organizations to take steps to safeguard their assets. This includes rotating all CI/CD and cloud credentials issued prior to April 2026, revoking any compromised service tokens, and meticulously auditing pipeline-run API calls in AWS CloudTrail, Azure Monitor, and GCP Cloud Audit Logs for any unusual activity linked to pipeline service accounts.
In the face of this evolving threat, it is essential for organizations to adapt and enhance their security postures to mitigate the risks presented by such extensive compromises in the supply chain.

