Key Takeaways
- TeamPCP (also known as PCPcat, ShellForce, and DeadCatx3) is a cybercriminal group thought to be made up of former members of the English‑speaking network “The Com.”
- Between March and May 2026 the group carried out high‑profile supply‑chain attacks on Trivy, Checkmarx, and Telnyx, compromising trusted software to harvest valuable credentials.
- To monetise the stolen data, TeamPCP partnered with established extortion groups such as Lapsus$, and more recently with the ransomware operator Vect.
- The group’s evolving strategy shows a clear shift from conducting full‑scale operations alone to leveraging the strengths of specialised partners, using supply‑chain compromises as a direct conduit for ransomware deployment.
- Organizations must harden their software supply chains, enforce strict credential controls, and adopt collaborative threat‑intelligence practices to defend against this converging threat landscape.
Introduction to TeamPCP and Its Origins
TeamPCP, alternatively referred to as PCPcat, ShellForce, or DeadCatx3, is believed to consist of individuals who previously operated within The Com—a loosely affiliated, predominantly English‑speaking cybercriminal network. The Com’s reputation for sharing tools, tactics, and illicit services provided a fertile ground for the emergence of more specialised actors. By drawing on the expertise and contacts cultivated in that environment, TeamPCP has been able to rapidly develop sophisticated capabilities, particularly in the realm of supply‑chain intrusion and credential harvesting. Understanding this lineage helps explain the group’s ability to move quickly from initial access to high‑value data exfiltration.
Operational Timeline and Notable Attacks
Between March and May 2026, TeamPCP executed a series of high‑profile supply‑chain attacks that captured widespread attention within the security community. The group compromised the build pipelines or distribution channels of Trivy, Checkmarx, and Telnyx, inserting malicious code or backdoors that allowed them to harvest credentials from downstream users who trusted these tools. Each incident followed a similar pattern: initial infiltration of a trusted software repository, subtle modification of the software to exfiltrate authentication tokens or SSH keys, and subsequent use of those credentials to pivot into victim networks. The timing and coordination of these attacks demonstrated a level of planning and operational maturity that suggested a well‑resourced and experienced team.
Collaboration with Extortion Groups
Recognising the monetary value of the harvested credentials, TeamPCP sought partners capable of turning stolen data into immediate profit. In the months following the Trivy, Checkmarx, and Telnyx breaches, the group entered into a working relationship with Lapsus$, a notorious extortion collective known for high‑visibility data leaks and ransom demands. TeamPCP supplied Lapsus$ with the exfiltrated credentials, which the extortion group then used to threaten public disclosure or to facilitate direct financial extortion. This partnership illustrated a clear division of labor: TeamPCP focused on the technical intrusion and data acquisition, while Lapsus$ handled the negotiation, publicity, and monetisation aspects of the crime.
Strategic Shift Toward Ransomware Collaboration
The most recent evolution in TeamPCP’s tactics involves a partnership with Vect, a ransomware operator that specialises in encrypting victim data and demanding payment for decryption keys. By aligning with Vect, TeamPCP has moved beyond pure credential theft and extortion, positioning its stolen information as a foothold for ransomware deployment. The credentials obtained from supply‑chain compromises enable Vect to gain privileged access to target environments, bypassing many traditional defenses and increasing the likelihood of a successful ransomware infection. This collaboration underscores TeamPCP’s strategic emphasis on leveraging complementary skill sets rather than attempting to master every stage of an attack internally.
Mechanics of Supply Chain Attacks as a Path to Ransomware
Supply chain attacks have become an especially effective vector for ransomware because they exploit the inherent trust organisations place in third‑party software. When a trusted component is compromised, the malicious code can be distributed widely with little suspicion, providing attackers with a broad base of potential victims. In the case of TeamPCP, the harvested credentials act as force multipliers: they allow ransomware affiliates like Vect to move laterally, elevate privileges, and deploy encryption payloads across critical systems before defenders notice anomalous activity. Consequently, the initial supply‑chain breach serves not merely as a data‑theft operation but as a prelude to a potentially devastating ransomware event.
Division of Labor Among Cybercriminal Enterprises
Modern cybercriminal ecosystems increasingly resemble specialised service providers, each concentrating on a narrow set of capabilities. TeamPCP exemplifies this trend by focusing on intrusion, credential harvesting, and supply‑chain manipulation, while leaving the complexities of ransomware development, payment processing, and negotiation to partners such as Lapsus$ and Vect. This division of labour reduces the barrier to entry for each participant, increases overall operational efficiency, and allows groups to scale their impact rapidly. It also complicates attribution efforts, as the visible actors in a ransomware incident may be far removed from those who performed the initial compromise.
Implications for Software Supply Chain Security
The TeamPCP incidents highlight critical weaknesses in how organisations vet, sign, and monitor the software they consume. Attacks on trusted tools like Trivy (a vulnerability scanner), Checkmarx (a static application security testing platform), and Telnyx (a communications API provider) demonstrate that even security‑centric or infrastructure‑focused products are not immune to compromise. To mitigate such risks, organisations should adopt rigorous software bill of materials (SBOM) practices, enforce code‑signing verification, implement continuous integrity monitoring of build environments, and adopt zero‑trust principles that limit implicit trust in any third‑party component, regardless of its reputation.
Defensive Recommendations for Organizations
Defending against the convergent threat posed by groups like TeamPCP requires a layered approach. First, enforce multifactor authentication and least‑privilege access controls to limit the usefulness of stolen credentials. Second, deploy robust endpoint detection and response (EDR) solutions capable of detecting anomalous credential usage and lateral movement. Third, maintain immutable backups and test restoration procedures regularly to reduce the impact of ransomware encryption. Fourth, participate in industry‑wide threat‑intelligence sharing platforms to receive early warnings about compromised supply‑chain components. Finally, establish clear incident‑response playbooks that specifically address supply‑chain breaches, enabling rapid containment and eradication before ransomware payloads can be deployed.
Broader Trend of Cybercrime-as-a-Service and Collaboration
TeamPCP’s evolution mirrors a broader shift toward cybercrime‑as-a‑service (CaaS) models, where specialised actors offer distinct capabilities—such as initial access, credential theft, or ransomware deployment—on a contractual basis. This commoditisation lowers the technical threshold for conducting sophisticated attacks and encourages frequent collaboration between groups that might otherwise remain isolated. The partnership with Lapsus$ for extortion and with Vect for ransomware demonstrates how actors can seamlessly hand off the fruits of one operation to another, maximising profit while minimising individual exposure. As these collaborative networks mature, defenders must anticipate increasingly fluid threat landscapes where attribution becomes more difficult and attack chains grow longer.
Conclusion and Future Outlook
TeamPCP’s trajectory—from its origins in The Com, through high‑profile supply‑chain intrusions, to strategic alliances with extortion and ransomware groups—illustrates the adaptive nature of modern cybercrime. By concentrating on what it does best (gaining trusted access and harvesting credentials) and outsourcing the monetisation phase to specialised partners, the group amplifies its impact while reducing its own operational risk. For defenders, the lesson is clear: securing the software supply chain is no longer optional but a fundamental component of any robust cybersecurity posture. Continuous vigilance, stringent verification mechanisms, and collaborative defence strategies will be essential to counter the evolving tactics of groups like TeamPCP and the broader ecosystem of collaborative cybercriminal enterprises they represent.

