[FORECAST] TeamPCP shows why package cleanup is not containment
Supply-chain attacks are becoming access pipelines. The defender move is to follow credentials, not just packages.
TeamPCP and Vect: The Package Was Not the Prize. The Credentials Were.
TeamPCP and Vect are not just another supply-chain-and-ransomware story.
The useful read is that criminal operators are building a credential-to-extortion conveyor belt: one group compromises trusted tooling, harvests non-human credentials, and another group tests that access against victims.
For defenders and newer analysts, the job is not to memorize every affected package. It is to reason from poisoned tooling to reachable credentials, downstream access, and monetization.
That is harder than package cleanup.
It is also where the real work is.
This matters now because TeamPCP is no longer just a supply-chain actor in the abstract. Public reporting now ties the campaign family to downstream extortion pressure, named victim claims, and at least one verified Vect deployment using TeamPCP-sourced credentials. The March package incidents may be over. The credential inventory may not be.
Forecast in one line
Our current forecast is 72% that by December 31, 2026, at least three publicly named organizations will be credibly reported as suffering ransomware deployment, leak-site extortion, or extortion pressure explicitly linked to TeamPCP-style software-supply-chain credential theft.
That does not mean every exposed organization becomes a ransomware victim.
It means the access inventory appears valuable enough, and the monetization paths visible enough, that more public cases are likely.
The weak read and the stronger read
The weak read is:
Vect partnered with TeamPCP.
That is true as far as it goes, but it is not the best analyst takeaway.
The stronger read is:
Supply-chain compromise is becoming an access-production business. Ransomware is one checkout lane.
That distinction matters.
A package compromise may be short-lived. A stolen credential may not be. A malicious tool version can be removed. A cloud key, GitHub token, package-registry token, Kubernetes service-account token, or release credential can continue to matter after the package incident looks “over.”
This is the kind of problem that punishes tired teams. The alert says package compromise. The incident boundary says credentials, runners, repositories, registries, cloud accounts, secrets, release authority, and anything else the poisoned execution context could touch.
Security work is fun like that.
What appears to have happened
Based on the current public reporting summarized in our technical report:
- Sophos reports that Vect and TeamPCP announced an operational partnership in late March 2026, combining TeamPCP’s credential harvesting and data theft with Vect’s ransomware deployment infrastructure.
- Sophos also reports at least one verified Vect ransomware deployment using TeamPCP-sourced credentials, though the victim is not publicly named in the material reviewed.
- The FBI FLASH on TeamPCP warns that affiliated actors may weaponize exfiltrated data and credentials long after the initial compromise.
- SOCRadar publicly lists Guesty and S&P Global as Vect victim claims labeled as part of the LiteLLM/Trivy campaign associated with TeamPCP.
- Checkmarx has confirmed downstream unauthorized GitHub access tied to the Trivy supply-chain attack, with dark-web publication of data, though that is not the same thing as clean public proof of Vect encryption.
That last sentence matters.
Good analysis requires pressure control. Not every public claim weighs the same.
Analyst hygiene: do not flatten the evidence
A vendor-confirmed ransomware deployment is not the same as a ransomware-intelligence listing.
A victim-confirmed GitHub compromise is not the same as proof of encryption.
An actor claim is not the same as an independently supported victim case.
We track all of them. We do not treat them equally.
A useful way to think about the evidence:
| Evidence class | What it means | How to use it |
|---|---|---|
| Confirmed pipeline evidence | A victim, vendor, or government source confirms supply-chain access, downstream access, extortion, or ransomware use. | Strong evidence the model exists. Counts cleanly only when the victim and event are public. |
| Named credible reporting | A reputable security or ransomware-intelligence source names a victim and links the claim to TeamPCP, Vect, LiteLLM, Trivy, KICS, Telnyx, or the same campaign family. | Useful, but label it as claimed unless victim-confirmed. |
| Actor or forum claim | A leak-site, Telegram, forum, or affiliate claim without independent support. | Track as signal. Do not resolve the forecast from it. |
This is not nitpicking. This is the job.
A lot of bad threat intelligence comes from collapsing “someone claimed,” “someone reported,” and “someone confirmed” into the same sentence. Younger analysts should build the muscle early: confidence is part of the product.
New analyst field test
When reading a ransomware or supply-chain report, mark each major claim as one of three things: confirmed, credibly reported, or actor-claimed.
Then ask what would change your confidence.
If you cannot answer that, you are probably summarizing instead of analyzing.
Why short exposure windows still matter
The Trivy compromise is the central teaching case because it shows why short windows can still create long tails.
According to the technical report, the malicious Trivy exposure windows were measured in hours: roughly three hours for the malicious Trivy binary, 12 hours for trivy-action, four hours for setup-trivy, and 10 hours for Docker Hub images.
That sounds small.
It may not be small if those hours intersected with CI/CD, security scanning, release automation, cloud workflows, repository tokens, Kubernetes credentials, package publishing, and deployment paths.
A weak analyst sees a short exposure window and mentally closes the tab.
A stronger analyst asks:
What did that execution context have permission to read, write, publish, or authenticate to?
That is the question.
The malicious package is the delivery mechanism. The asset is the credential inventory.
Do not collapse the ladder
One of the easiest mistakes in this kind of incident is to jump from “we used the affected package” to “we are compromised,” or from “the exposure was brief” to “we are fine.”
Both are sloppy.
Use the ladder:
- Exposure — the affected package, action, image, plugin, or tool was present.
- Execution — the malicious version actually ran in a meaningful context.
- Credential theft — the process could access secrets, tokens, keys, or privileged files.
- Persistence or reuse — stolen access remained valid or was used elsewhere.
- Monetization — access or data became extortion, sale, leak pressure, ransomware deployment, or another payoff.
Do not skip steps.
Do not invent certainty.
But do not let “we only ran it once” become the whole analysis either.
If the poisoned tool ran in a GitHub Actions runner with access to repository tokens, cloud deployment credentials, package-registry publishing rights, and environment secrets, “once” may be enough.
The access market model
The TeamPCP/Vect story is useful because it points toward criminal specialization.
TeamPCP appears to sit closer to upstream access generation: compromise trusted developer, security, AI, or automation tooling; harvest credentials; create a pool of usable secrets and access.
Vect appears to sit closer to ransomware and extortion infrastructure: affiliates, lockers, victim publication, and monetization.
Forums and affiliate models add the distribution layer. They let more operators test more access against more victims.
The supply-chain crew does not need to become a ransomware crew.
It only needs to produce access that a ransomware crew can use.
That is the mental model newer analysts should take from this. Actor names matter, but market structure may matter more.
If you only follow the actor label, you may miss the handoff.
If you follow the credentials, you have a better chance of seeing where the story goes next.
For our paying members..
Below the line, in addition to the technical research report, we turn this from public reporting into an analyst workflow: how to separate exposure from compromise, how to reason through the 72% forecast, what evidence would move the call up or down, and the containment questions worth bringing to your next incident review.
Free OSINT can tell you a package was compromised.
The useful work is figuring out whether that compromise became reusable access.
The workflow: follow the credential boundary
After a supply-chain credential-theft incident, the defender’s first job is not to argue over actor branding.
It is to map blast radius.
That starts with a plain question: