TeamPCP’s attack spree slows, but threat escalates with ransomware pivot

TeamPCP’s destructive run of supply chain breaches has stopped, for now: it has been three days since the group published malicious versions of Telnyx’s SDK on PyPI, and there haven’t been reports of new open-source project compromises.

Partnership with emerging RaaS operation

“The prior operational cadence was aggressive – a new target every 1-3 days (Trivy [on] March 19, CanisterWorm [on] March 20-22, Checkmarx [on] March 23, LiteLLM [on] March 24, Telnyx [on] March 27),” SANS instructor Kenneth Hartman noted.

“The current pause, combined with the Vect ransomware affiliate announcement, suggests TeamPCP has shifted primary operational focus from supply chain expansion to monetization of existing credential harvests.”

The announcement in question has been made by Vect, a new ransomware-as-a-service (RaaS) operation, on BreachForum, which is a known “hangout” for cybercriminals.

They revealed their plan to make all BreachForum members their affiliates (by providing a “Vect Affiliation Key”), and their partnership with TeamPCP.

“Together, we are ready to deploy ransomware across all affected companies that got hit by these attacks, and we won’t stop there. We will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns,” they boasted.

The threat is real. According to Hartman, there has already been a first confirmed Vect ransomware deployment using TeamPCP-sourced credentials.

TeamPCP’s rapid evolution

TeamPCP emerged in 2024 and focused on targeting and compromising misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal credentials and deploy cryptominers.

In 2025, they started building their capacity for automated supply chain attacks.

“In late 2025 they deployed CanisterWorm, a self-propagating worm that used ICP Canister nodes as decentralized, censorship-resistant C2 infrastructure — the first observed use of this technique in the wild. In early 2026, destructive payloads with geotargeting logic appeared, combining credential theft with region-specific destruction,” says the OpenSourceMalware team.

“The March 2026 campaign represents the culmination: a cascading chain through five vendor ecosystems seeded by a single retained credential [from a previous Trivy compromise].”

They demonstrated their adaptibility even during these latest supply chain attacks.

“In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence,” Trend Micro researchers noted in the wake of the Telnyx compromise.

Hartman also documented another of the group’s innovative techniques: the use of the GitHub Releases API as a fallback data exfiltration channel during a supply chain compromise.

TeamPCP’s attacks ripple through dependencies

Hartman pointed out that TeamPCP’s pause in supply chain compromises should not be interpreted as the end of the group’s supply chain operations.

“TeamPCP explicitly stated they intend to be ‘around for a long time,’ and stolen credentials from the estimated 300 GB trove could enable future package compromises at any time. The absence of new compromises may also reflect improved vigilance by package registries – PyPI has quarantined two TeamPCP campaigns in rapid succession, which may be raising the attacker’s cost of operations on that platform.”

Open-source maintainers must realize that TeamPCP is an eminently capable attack group and should take steps to secure their projects.

“This incident also exposes the absolute stupidity of blindly updating to the latest package versions. The obsession with using the newest patch the second it drops is a massive vulnerability,” Trend Micro researchers also opined.

“If your CI/CD pipeline automatically pulls the newest release without a quarantine period, you are automating your own breach. Pin your dependencies to cryptographic hashes. Let someone else’s infrastructure test the newest release for supply chain malware first.”

GitGuardian reseachers have analyzed how TeamPHP’s supply chain attacks spread through dependencies and automation pipelines, and found that:

• 474 public repositories executed malicious code from the compromised trivy-action (CI/CD component)
• 1,750 Python (PyPI) packages were set up in a way that would automatically pull the poisoned LiteLLM versions

Those numbers are not definitive – i.e., they are likely bigger – because they did not (could not) analyze private GitHub repositories, and they limited their search to Python packages with direct dependency of LiteLLM.

“The package could have been included through a longer dependency chain. Looking for the exact digest of the malicious packages is the only way to determine if the dependency was downloaded on a given machine,” they pointed out, and shared the malicious packages’ SHA256 digests for organizations to use when investigating.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!