Lunar-logo
Log in
Signup

On this page

The Vect–TeamPCP–BreachForums Alliance: A Preview of Platformized Cybercrime
Back to blog
6 min

The Vect–TeamPCP–BreachForums Alliance: A Preview of Platformized Cybercrime

A post on BreachForums recently announced that TeamPCP, the threat actor linked to the Trivy and LiteLLM supply chain compromises, joined up with the Vect ransomware‑as‑a‑service (RaaS) operation to provide affiliate keys for hundreds of thousands of forum users. While this might look like dark web bragging, it points to a larger development that we’ve been following: cybercrime’s transformation into a platform business.

The announcement that Vect Ransomware Organization has partnered with BreachForums and TeamPCP

Instead of isolated groups buying and selling one‑off footholds, these businesses look like vertically integrated criminal value chains. Here, supply chain compromises are at the top, privileged access is in the middle, and industrialized ransomware monetization is at the bottom. All three are connected by a massive underground community.

For security teams, this is a signal to stop treating software supply chain attacks and ransomware as separate problems.

Who’s Involved and Why It Matters

The BreachForums post details three distinct layers of the underground ecosystem.

1. Vect: The Monetization Engine

Vect is a relatively new ransomware‑as‑a‑service (RaaS) group first observed in late 2025. Their primary targets are organizations in the manufacturing, education, and engineering industries. Researchers describe a professionally run operation:

  • A structured affiliate program launched in December 2025
  • Custom C++ ransomware rather than repackaged leaks
  • Double‑extortion tactics with data theft before encryption
  • Cross‑platform support and clearly documented playbooks for affiliates

Vect is positioning itself as a platform for others to carry out attacks at scale.

2. TeamPCP: The Supply Chain Access Layer

In a matter of days in March 2026, TeamPCP compromised Trivy (a widely trusted open source scanner), Checkmarx/KICS components, and the hugely popular LiteLLM Python package. These were not fake projects or typosquats, but legitimate tools turned into delivery vehicles for an infostealer and credential‑harvesting malware.

Reports from multiple vendors outline the same pattern:

  • Abuse of a misconfigured GitHub Actions workflow in Trivy to steal CI/CD secrets and force‑push poisoned tags and releases.
  • Propagation into Docker images and dependent pipelines, harvesting cloud tokens, SSH keys, and Kubernetes secrets at scale.
  • Expansion into PyPI via LiteLLM and telnyx using compromised CI credentials to publish malicious versions (LiteLLM 1.82.7 and 1.82.8) that exfiltrated keys, secrets, and wallets from thousands of downstream environments.

TeamPCP is a cloud‑native, developer‑ecosystem intruder weaponizing the tools defenders rely on to secure their environments, a far cry from traditional access brokers.

3. BreachForums: The Social and Economic Backbone

BreachForums is one of the main English‑language hubs where stolen data, access, and services are traded. Despite takedowns, domain seizures, and even leaks of its own database, it continues to act as a central marketplace and reputation system for a large and active user base.

The TeamPCP–Vect BreachForums announcement claims that roughly 300,000 registered users will receive personal affiliate keys for Vect. This signals a clear intention of turning the forum into a ready‑made ransomware platform.

How Credible is The Alliance?

Taking all evidence into account, we can safely say that the TeamPCP–Vect partnership is credible and consistent with observed activity. Still, the depth of operational coordination remains unverified.  

  • The forum post and subsequent reporting by outlets and analysts are real.
  • TeamPCP’s role in the Trivy, Checkmarx, and LiteLLM supply chain compromises has been confirmed by multiple independent vendors.
  • Vect is a documented RaaS program with victims and an active affiliate recruitment campaign.
  • BreachForums remains a major hub even after its own data leaks and relaunches.

The strategic alignment, with supply chain access feeding a RaaS platform and distributed through a large forum, is plausible and consistent with what we see in telemetry and reporting. At the same time, promises like “every user gets an affiliate key” are likely not true and are designed to recruit, intimidate, and generate hype.

Shifting From Individual Incidents to an Integrated Criminal Supply Chain

Defenders can no longer analyze cybercrime in silos, with forums over here, access brokers over there, and ransomware crews and data leak sites somewhere else. The TeamPCP–Vect–BreachForums story shows that these groups are forming a single, coherent supply chain consisting of:

  1. An upstream compromise: A trusted tool like Trivy or LiteLLM is compromised in its own CI/CD or release process, often via configuration weaknesses and unpinned dependencies.
  2. Secret and access harvesting: The compromised code runs inside thousands of pipelines and services, quietly harvesting cloud credentials, SSH keys, Kubernetes secrets, and other high‑value tokens.
  3. Access pipeline to RaaS: Those secrets feed into a RaaS ecosystem like Vect, where affiliates can select targets and deploy ransomware with relatively little technical skill.
  4. Distribution via dark‑web platforms: A forum like BreachForums provides the social graph, reputation system, and market where affiliates, initial‑access brokers, and service providers meet and transact.

Supply chain compromise, access, and monetization are no longer separate industries; they are stages in a single criminal business model.

What Security Teams Should Do Differently

If you are responsible for protecting an organization that builds or runs software, the developments outlined here have practical implications:

  • Treat supply chain incidents as ransomware precursors: If you were exposed to the Trivy, Checkmarx, LiteLLM, or Telnyx compromises, assume sensitive data is already circulating in the broader affiliate ecosystem. 
  • Re‑baseline your CI/CD and dependency risk: Use pipelines to detect unexpected tag changes, unusual publish events, and anomalous use of tokens. Rotate credentials that could have been accessed by compromised tools, and reduce long‑lived or over‑privileged secrets wherever possible.
  • Connect threat intel to developer realities: Translate any mentions of Vect, TeamPCP, or BreachForums mobilization into concrete questions: Which of our apps depend on these tools? Which pipelines may have executed compromised artifacts? What would it take to rebuild them safely?
  • Plan for platformized adversaries: Assume that future campaigns follow the same pattern of an upstream compromise, data harvest at scale, and ransomware across a broad victim set via a RaaS platform and underground community.

At Lunar, we see this as a preview of where the underground is headed, not an isolated incident. The line between supply chain compromise and ransomware is getting thinner and attackers are working hard to erase it altogether.

The sooner defenders start thinking in terms of end‑to‑end criminal supply chains, the better positioned we will be to disrupt the next iteration before it reaches production.

Ran Geva
Ran Geva
linkedin
Spread the news

Check your company's
exposed credentials

Enter your work email to instantly access a free account
and see your company’s exposed credentials.