Skip to content
.ca
sign in
4 mincritical

TeamPCP Partners With Ransomware Group Vect to Target Open Source Supply Chains

Threat actor TeamPCP has formed an alliance with the Vect Ransomware-as-a-Service (RaaS) group to weaponize recent open-source supply chain compromises. By leveraging approximately 300 GB of stolen credentials and tokens harvested from CI/CD pipelines and security tools like Trivy and LiteLLM, the groups intend to facilitate large-scale ransomware deployments across affected enterprise environments.

Sens:ImmediateConf:highAnalyzed:2026-03-27reports
ActorsTeamPCPVect Ransomware Group
Vect RansomwareCI/CD CompromiseBreachForumsSupply Chain AttackTeamPCP

Source:Socket

Key Takeaways

  • Threat actor TeamPCP has partnered with the Vect ransomware group to monetize recent open-source supply chain compromises.
  • Vect announced on BreachForums that all forum members will receive affiliation keys, massively expanding their potential affiliate pool for ransomware deployment.
  • The alliance aims to use compromised CI/CD pipelines and stolen credentials (from tools like Trivy and LiteLLM) as initial access for coordinated ransomware campaigns.
  • TeamPCP has reportedly exfiltrated approximately 300 GB of credentials, tokens, and secrets harvested from CI/CD environments.

Affected Systems

  • CI/CD pipelines and build environments
  • Open source security tools (Trivy, LiteLLM)
  • GitHub Actions
  • OpenVSX extensions
  • Docker images
  • npm packages
  • PyPI packages

Attack Chain

TeamPCP initially compromises open-source supply chains, targeting tools like Trivy, LiteLLM, and various package repositories to infiltrate CI/CD pipelines. Once inside, they use scanners to harvest and exfiltrate credentials, tokens, and secrets from the build environments. These stolen credentials are then provided to the Vect ransomware group and its affiliates via BreachForums, who use them to gain initial access to enterprise networks. Finally, the affiliates deploy Vect ransomware to extort the victim organizations.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The provided article does not contain specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions can detect the final ransomware payload execution on endpoints, but may have limited visibility into the initial CI/CD pipeline compromise or token abuse occurring in cloud or SaaS environments. Network Visibility: Medium — Network monitoring might detect large data exfiltration events (e.g., the 300GB of credentials) from build servers, but API calls using stolen tokens may blend in with legitimate traffic. Detection Difficulty: Hard — Distinguishing legitimate CI/CD automation and security scanner activity from malicious actions using stolen, valid tokens is highly challenging and prone to false positives.

Required Log Sources

  • CI/CD pipeline audit logs
  • Cloud provider API/Audit logs (e.g., AWS CloudTrail)
  • Authentication and Identity Provider (IdP) logs
  • Endpoint process execution logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous access patterns, unusual API calls, or logins from unexpected geolocations originating from CI/CD service accounts or tokens.Cloud Audit Logs / Identity LogsInitial AccessMedium
Monitor for unexpected outbound data transfers or archiving tool execution on build servers or CI/CD runners, indicating potential credential harvesting and exfiltration.Network Flow Logs / EDR Process LogsExfiltrationHigh

Control Gaps

  • Lack of strict least privilege on CI/CD tokens and service accounts
  • Insufficient monitoring of build pipeline environments and runner infrastructure
  • Over-permissive access granted to security scanners and IDE extensions

Key Behavioral Indicators

  • Anomalous API usage by service accounts outside of normal build windows
  • Unexpected execution of archiving tools (tar, zip) in CI/CD environments
  • Logins to enterprise infrastructure using CI/CD credentials from unknown IP addresses

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Rotate all credentials, API keys, and tokens stored in or accessible by CI/CD pipelines, especially those integrated with Trivy or LiteLLM.
  • Audit recent CI/CD pipeline executions for unauthorized modifications, unexpected steps, or anomalous outbound connections.
  • Review and restrict permissions for service accounts used by open-source security tools and extensions.

Infrastructure Hardening

  • Implement strict least privilege access controls for all CI/CD environments and build tools.
  • Enforce short-lived, dynamically generated credentials (e.g., OIDC) for pipeline execution instead of static, long-lived secrets.
  • Isolate build environments from production networks and restrict outbound internet access from CI/CD runners.

User Protection

  • Enforce Multi-Factor Authentication (MFA) on all developer, administrative, and cloud access accounts.
  • Monitor developer endpoints for unauthorized access to source code repositories or credential stores.

Security Awareness

  • Train developers and DevOps engineers on the risks of supply chain attacks and secure secret management practices.
  • Establish clear procedures for verifying the integrity and security posture of third-party dependencies, extensions, and container images.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1552.004 - Unsecured Credentials: Private Keys
  • T1078 - Valid Accounts
  • T1486 - Data Encrypted for Impact

Related