<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Next.js (15.x With App Router) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/next.js-15.x-with-app-router/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 02 Jul 2026 12:00:57 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/next.js-15.x-with-app-router/feed.xml" rel="self" type="application/rss+xml"/><item><title>Vect and TeamPCP Partner for Ransomware Campaigns Exploiting Supply Chain Compromises</title><link>https://feed.craftedsignal.io/briefs/2026-07-vect-teampcp-ransomware/</link><pubDate>Thu, 02 Jul 2026 12:00:57 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-vect-teampcp-ransomware/</guid><description>The threat groups Vect and TeamPCP have formally partnered since March 2026 to conduct widespread ransomware deployment and extortion campaigns by leveraging TeamPCP's credential harvesting and data theft capabilities, often initiated through supply chain compromises involving poisoned software updates and exploitation of critical vulnerabilities like CVE-2025-55182, leading to significant data exfiltration and encrypted systems across multiple sectors.</description><content:encoded><![CDATA[<p>Since late March 2026, the interconnected threat groups Vect and TeamPCP have forged a formal operational partnership to amplify their ransomware and extortion campaigns. TeamPCP, also known as PCPcat, ShellForce, and DeadCatx3, specializes in credential harvesting and data theft, often initiating attacks through the mass exploitation of critical vulnerabilities such as the React2Shell vulnerability (CVE-2025-55182) in React Server Components, or by compromising development systems of widely used open-source tools like Trivy, Checkmarx, LiteLLM, and Telnyx. This allows them to inject malicious payloads into official software channels, leading to supply chain compromises. Vect, a ransomware-as-a-service (RaaS) operation that emerged in December 2025, then leverages the access and stolen credentials to deploy its ransomware, Vect 2.0, across victim networks. The combined operation impacts organizations in various sectors including technology, finance, healthcare, and government across North America, Europe, and Asia.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access &amp; Vulnerability Exploitation</strong>: TeamPCP gains initial access by exploiting critical public-facing application vulnerabilities (e.g., React2Shell, CVE-2025-55182) or compromising developer credentials through social engineering or other means, targeting supply chain components like development systems (e.g., Trivy's infrastructure) or CI/CD pipelines (e.g., LiteLLM, Telnyx).</li>
<li><strong>Supply Chain Poisoning &amp; Malicious Delivery</strong>: Attackers inject malicious code into legitimate software updates (e.g., poisoned Trivy scanner, Checkmarx GitHub Actions, malicious PyPI packages for LiteLLM and Telnyx Python SDK) and publish them to official channels (e.g., GitHub, OpenVSX marketplace, PyPI).</li>
<li><strong>Credential Harvesting &amp; Data Collection</strong>: When victims install the poisoned software, embedded payloads silently execute, harvesting sensitive information including passwords, cloud credentials, and other secrets from the compromised systems. Some payloads use novel techniques like WAV audio steganography.</li>
<li><strong>Lateral Movement &amp; Persistence</strong>: Stolen credentials are used to spread self-propagating worms (e.g., CanisterWorm) across interconnected software packages or leverage Kubernetes-oriented lateral movement logic. Malicious packages may also establish persistence by triggering automatically on Python interpreter startup.</li>
<li><strong>Command and Control (C2) &amp; Exfiltration</strong>: Harvested data is transmitted to attacker-controlled servers, often leveraging unusual outbound network activity (e.g., via port 666), or exfiltrated to hidden repositories within the victim's compromised cloud accounts (e.g., private GitHub repositories).</li>
<li><strong>Ransomware Deployment &amp; Extortion</strong>: The access facilitated by TeamPCP's operations is then utilized by Vect's ransomware-as-a-service infrastructure to deploy the Vect 2.0 ransomware payload. Victims face data encryption, and stolen data (source code, API keys, employee details) is used on data leak sites (e.g., Vect's, Lapsus$ group's) for extortion.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The partnership between Vect and TeamPCP has led to a significant increase in ransomware deployments and data theft incidents. Organizations in Canada, Serbia, South Korea, the UAE, and the United States, spanning technology, finance, healthcare, and government sectors, have been impacted. Successful attacks result in the encryption of critical systems, leading to operational disruption, and the exfiltration of highly sensitive data such as source code, API keys, database credentials, and employee details, which are subsequently used for extortion. The scale of the supply chain compromises means a single poisoned update can affect thousands of organizations, dramatically increasing the potential for widespread damage and financial loss.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2025-55182 immediately</strong> on all instances of React Server Components to prevent initial access.</li>
<li><strong>Deploy the Sigma rule <code>Detect TeamPCP Outbound Port 666</code></strong> to identify suspicious network connections indicative of TeamPCP C2 activity.</li>
<li><strong>Monitor outbound network connections</strong> for unusual ports like 666, especially from development or build environments, using <code>network_connection</code> logs.</li>
<li><strong>Implement software supply chain security practices</strong> to validate the integrity of third-party software updates and dependencies, especially from PyPI and GitHub.</li>
<li><strong>Review and audit permissions for GitHub Actions workflows</strong> and OpenVSX plugins, ensuring least privilege and monitoring for unauthorized modifications.</li>
<li><strong>Enable comprehensive logging for process creation and network activity</strong> to support the detection of malicious payloads harvesting credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>ransomware</category><category>supply-chain-attack</category><category>data-theft</category><category>credential-access</category><category>extortion</category><category>python</category><category>github</category><category>pypi</category></item></channel></rss>