teamPCPSlowdownRansomwareEscalation: Threat Persists Despite Decreased Attacks
Supply Chain Attacks Intensify with New Ransomware Pivot
In recent weeks, the notorious threat group TeamPCP has significantly scaled back its intense supply chain assault, but experts warn that the threat has evolved, shifting towards more lucrative ransomware deployments.
The Group’s Pivot Towards Ransomware
The group’s pivot towards ransomware comes on the heels of a high-profile partnership with Vect, a new ransomware-as-a-service (RaaS) operation.
“We’re ready to deploy ransomware across all affected companies that got hit by these attacks,” VecT boasted. “We won’t stop there. We will pull off even bigger supply chain operations.”
This threat is already being realized, according to experts. A confirmed Vect ransomware deployment has been observed using TeamPCP-sourced credentials.
“There has already been a first confirmed Vect ransomware deployment using TeamPCP-sourced credentials,” said SANS instructor Kenneth Hartman.
TeamPCP’s Activities
TeamPCP’s activities began in 2024, focusing on compromising misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal credentials and deploy cryptominers.
In 2025, the group expanded its capabilities for automated supply chain attacks. Its most notable innovation was the deployment of CanisterWorm, a self-propagating worm using ICP Canister nodes as decentralized, censorship-resistant C2 infrastructure.
The group’s subsequent campaigns demonstrate its adaptability, rapidly evolving from delivering inline Base64 payloads to .pth auto-execution and eventually to split-file WAV steganography.
Additionally, TeamPCP expanded its targeting scope from Linux-only to dual-platform targeting with Windows persistence.
Experts’ Warning
Experts caution that the group’s pivot does not signal the end of supply chain operations.
TeamPCP has amassed a significant stash of stolen credentials, estimated to be over 300 GB, which can be exploited at any moment.
Furthermore, improved vigilance by package registries like PyPI may raise the cost of operations for the attackers.
Maintaining Open-Source Projects Securely
Maintainers of open-source projects must recognize the severity of the threat and take proactive measures to secure their projects.
Experts emphasize the importance of pinning dependencies to cryptographic hashes rather than relying on automatic updates.
This approach allows for more controlled testing of new releases before integration, reducing the likelihood of inadvertently incorporating supply chain malware.