{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/checkmarx-kics-github-action/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Vect","TeamPCP"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["React Server Components","Trivy","Checkmarx KICS GitHub Action","Checkmarx AST GitHub Action","OpenVSX plugins","Bitwarden CLI","LiteLLM","Telnyx Python SDK","React (19.0.0, 19.1.0, 19.1.1, 19.2.0)","Next.js (15.x with App Router)","Next.js (16.0.0-16.0.6)"],"_cs_severities":["high"],"_cs_tags":["ransomware","supply-chain-attack","data-theft","credential-access","extortion","python","github","pypi"],"_cs_type":"threat","_cs_vendors":["Meta","Aqua Security","Checkmarx","Bitwarden","BerriAI","Telnyx","Facebook","Vercel"],"content_html":"\u003cp\u003eSince late March 2026, the interconnected threat groups Vect and TeamPCP have forged a formal operational partnership to amplify their ransomware and extortion campaigns. TeamPCP, also known as PCPcat, ShellForce, and DeadCatx3, specializes in credential harvesting and data theft, often initiating attacks through the mass exploitation of critical vulnerabilities such as the React2Shell vulnerability (CVE-2025-55182) in React Server Components, or by compromising development systems of widely used open-source tools like Trivy, Checkmarx, LiteLLM, and Telnyx. This allows them to inject malicious payloads into official software channels, leading to supply chain compromises. Vect, a ransomware-as-a-service (RaaS) operation that emerged in December 2025, then leverages the access and stolen credentials to deploy its ransomware, Vect 2.0, across victim networks. The combined operation impacts organizations in various sectors including technology, finance, healthcare, and government across North America, Europe, and Asia.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access \u0026amp; Vulnerability Exploitation\u003c/strong\u003e: TeamPCP gains initial access by exploiting critical public-facing application vulnerabilities (e.g., React2Shell, CVE-2025-55182) or compromising developer credentials through social engineering or other means, targeting supply chain components like development systems (e.g., Trivy's infrastructure) or CI/CD pipelines (e.g., LiteLLM, Telnyx).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSupply Chain Poisoning \u0026amp; Malicious Delivery\u003c/strong\u003e: Attackers inject malicious code into legitimate software updates (e.g., poisoned Trivy scanner, Checkmarx GitHub Actions, malicious PyPI packages for LiteLLM and Telnyx Python SDK) and publish them to official channels (e.g., GitHub, OpenVSX marketplace, PyPI).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting \u0026amp; Data Collection\u003c/strong\u003e: When victims install the poisoned software, embedded payloads silently execute, harvesting sensitive information including passwords, cloud credentials, and other secrets from the compromised systems. Some payloads use novel techniques like WAV audio steganography.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement \u0026amp; Persistence\u003c/strong\u003e: Stolen credentials are used to spread self-propagating worms (e.g., CanisterWorm) across interconnected software packages or leverage Kubernetes-oriented lateral movement logic. Malicious packages may also establish persistence by triggering automatically on Python interpreter startup.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) \u0026amp; Exfiltration\u003c/strong\u003e: Harvested data is transmitted to attacker-controlled servers, often leveraging unusual outbound network activity (e.g., via port 666), or exfiltrated to hidden repositories within the victim's compromised cloud accounts (e.g., private GitHub repositories).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansomware Deployment \u0026amp; Extortion\u003c/strong\u003e: The access facilitated by TeamPCP's operations is then utilized by Vect's ransomware-as-a-service infrastructure to deploy the Vect 2.0 ransomware payload. Victims face data encryption, and stolen data (source code, API keys, employee details) is used on data leak sites (e.g., Vect's, Lapsus$ group's) for extortion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe partnership between Vect and TeamPCP has led to a significant increase in ransomware deployments and data theft incidents. Organizations in Canada, Serbia, South Korea, the UAE, and the United States, spanning technology, finance, healthcare, and government sectors, have been impacted. Successful attacks result in the encryption of critical systems, leading to operational disruption, and the exfiltration of highly sensitive data such as source code, API keys, database credentials, and employee details, which are subsequently used for extortion. The scale of the supply chain compromises means a single poisoned update can affect thousands of organizations, dramatically increasing the potential for widespread damage and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2025-55182 immediately\u003c/strong\u003e on all instances of React Server Components to prevent initial access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule \u003ccode\u003eDetect TeamPCP Outbound Port 666\u003c/code\u003e\u003c/strong\u003e to identify suspicious network connections indicative of TeamPCP C2 activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor outbound network connections\u003c/strong\u003e for unusual ports like 666, especially from development or build environments, using \u003ccode\u003enetwork_connection\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement software supply chain security practices\u003c/strong\u003e to validate the integrity of third-party software updates and dependencies, especially from PyPI and GitHub.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview and audit permissions for GitHub Actions workflows\u003c/strong\u003e and OpenVSX plugins, ensuring least privilege and monitoring for unauthorized modifications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable comprehensive logging for process creation and network activity\u003c/strong\u003e to support the detection of malicious payloads harvesting credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T00:01:39Z","date_published":"2026-07-02T12:00:57Z","id":"https://feed.craftedsignal.io/briefs/2026-07-vect-teampcp-ransomware/","summary":"The threat groups Vect and TeamPCP have formally partnered since March 2026 to conduct widespread ransomware deployment and extortion campaigns by leveraging TeamPCP's credential harvesting and data theft capabilities, often initiated through supply chain compromises involving poisoned software updates and exploitation of critical vulnerabilities like CVE-2025-55182, leading to significant data exfiltration and encrypted systems across multiple sectors.","title":"Vect and TeamPCP Partner for Ransomware Campaigns Exploiting Supply Chain Compromises","url":"https://feed.craftedsignal.io/briefs/2026-07-vect-teampcp-ransomware/"}],"language":"en","title":"CraftedSignal Threat Feed - Checkmarx KICS GitHub Action","version":"https://jsonfeed.org/version/1.1"}