TeamPCP — Supply Chain Compromise of Trivy, LiteLLM, and KICS Feeds VECT Ransomware Credential Archive

AI relevance: LiteLLM is a core proxy layer in AI inference pipelines — its compromise gave attackers persistent code execution on every machine running the package, harvesting cloud keys and CI/CD tokens that protect downstream model serving infrastructure.

What Happened

  • TeamPCP — the threat actor behind the Shai-Hulud supply-chain worm — compromised four widely used open-source packages between February and March 2026: Trivy (container scanner), Checkmarx KICS (IaC scanner), LiteLLM (AI model proxy, ~95M monthly downloads), and the Telnyx Python SDK.
  • Trivy's automated workflow was hit via CVE-2026-33634: a stolen maintainer credential let TeamPCP overwrite 76 of 77 published versions with malicious workflow code.
  • Checkmarx KICS had 35 workflow tags overwritten. TeamPCP also used each victim organization's own automation credentials to create hidden docs-tpcp repositories inside victim GitHub accounts — making intrusion activity appear as legitimate automation in audit logs.
  • LiteLLM v1.82.8 received a litellm_init.pth file — Python automatically reads and executes .pth files on every startup, giving TeamPCP persistent code execution on any machine that installed the package, including CI runners and developer workstations.
  • Telnyx SDK versions 4.87.1 and 4.87.2 shipped a three-stage remote access trojan.
  • By March 2026, TeamPCP had amassed 500,000+ stolen credentials from 10,000+ CI/CD pipelines — AWS, Azure, GCP tokens, Kubernetes secrets, container registry credentials, GitHub/GitLab access tokens.
  • VECT ransomware operators then selected victims from that credential archive. Target selection happened after access, not before — reversing the conventional ransomware kill chain.
  • The partnership was publicly announced on BreachForums on April 16, 2026. Sophos CTU confirmed at least one VECT deployment using TeamPCP-sourced credentials.
  • FBI IC3 FLASH-20260702-01 (published July 2, 2026) warns these credentials "will be weaponized long after the initial compromise."
  • Check Point Research's technical analysis (CPR-2026-0428) found VECT 2.0's encryption is broken for files >128 KB — the first three-quarters of large files become permanently scrambled. Paying the ransom does not restore them.

Why It Matters

This is the first confirmed ransomware operation where the access broker phase was conducted entirely through open-source supply chain compromise of security tooling itself (Trivy, KICS). Organizations that installed these packages to improve their security posture inadvertently gave attackers persistent access to their CI/CD pipelines. The fragmented-log problem — package install logs, workflow execution logs, and cloud audit logs each show legitimate events attributed to known service accounts — makes holistic detection nearly impossible without pipeline-centric correlation.

What To Do

  • Check affected versions immediately: Trivy GitHub Action pinned to 0.76.x or 0.77.x tags, Checkmarx KICS affected tags, LiteLLM v1.82.8, Telnyx SDK 4.87.1/4.87.2 — all between February–April 2026.
  • Search for artifacts: litellm_init.pth on developer and CI runners; docs-tpcp repositories in GitHub organizations; anomalous Trivy/KICS workflow runs.
  • Rotate all CI/CD and cloud credentials issued before April 2026 in affected environments. Revoke compromised service tokens.
  • Audit pipeline-run API calls in AWS CloudTrail, Azure Monitor, and GCP Cloud Audit Logs for anomalous activity from pipeline service accounts.
  • Pin dependencies by hash, not tag — and require signed commits for workflow changes in critical security tooling repos.

Sources