Threats Tagged 'teampcp'

Vect ransomware emerged in January 2026 as a new threat actor operating a Ransomware-as-a-Service program with strategic partnerships that significantly expand its reach. The group has partnered with TeamPCP, known for supply chain attacks compromising security tools like Trivy, KICS, and LiteLLM, and BreachForums, distributing affiliate keys to forum members. With 25 published victims primarily targeting the United States and Technology sector, Vect maintains an open affiliate program requiring only a $250 invite code. The operation offers multi-platform ransomware payloads for Windows, Linux, and ESXi with sophisticated lateral movement capabilities and tiered commission structures reaching 89% for top affiliates. Analysis reveals connections to the defunct Devman ransomware through shared code strings and ransom note similarities, suggesting possible rebranding or code reuse.

Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves one of four decryption nonces required for large files, making recovery impossible even after ransom payment. VECT's encryption speed modes are non-functional, thread scheduling degrades performance, and anti-analysis code is unreachable. Despite partnerships with TeamPCP and BreachForums for distribution, the technical implementation demonstrates amateur execution behind a professional facade. The nonce-handling flaw exists across all platform variants since initial deployment, effectively transforming this ransomware into a wiper for enterprise assets including VM disks, databases, and backups.

Xinference, an open-source distributed AI model inference framework, suffered a supply chain attack when attackers compromised PyPI release credentials of maintainers and published three malicious versions (2.6.0, 2.6.1, 2.6.2) on April 22, 2026. The malicious code, encoded in Base64 layers within __init__.py, executes automatically upon library installation or import, collecting cloud credentials, SSH keys, API tokens, database passwords, cryptocurrency wallets, and environment variables. The payload specifically targets AWS environments through metadata service exploitation and uploads stolen data to attacker-controlled infrastructure. The attack affects users who downloaded these versions from PyPI, which has over 680,000 total downloads. Attribution remains unclear as TeamPCP's name appears in the code but the group denies involvement, suggesting third-party impersonation.