Menu
Browse

Cyber Threat Actor: Vect

Actor Type Location Known Incidents
 Icon
Crime Syndicate
1 incident
Profile

Vect is a threat actor known by the alias Vect, identified as a ransomware group that carried out a supply‑chain compromise of Aqua Security’s Trivy vulnerability scanner. In early February 2026 the actors injected credential‑stealing malware into Trivy’s official GitHub Action, helper action and binary, which were then disseminated through GitHub releases, Docker Hub and other container registries. The malicious code harvested more than 500,000 login credentials, including cloud tokens, SSH keys and Kubernetes secrets, affecting approximately 10,000 CI/CD workflows. This operation gave the group access to a broad set of privileged secrets that could be leveraged for further intrusion.

The stolen credentials were subsequently employed by Vect in a partnership with the TeamPCP ransomware collective to conduct confirmed ransomware deployments. Security researchers characterized this collaboration as an industrialized ransomware model, highlighting the division of labor between credential theft and ransomware execution. Following the activity, the FBI issued a flash warning concerning TeamPCP’s supply‑chain credential‑theft tactics, underscoring the broader impact of the operation. No additional sectors, geographic foci or strategic objectives beyond the ransomware activity are described in the publicly available information.

Vect’s observed tactics include the use of credential‑stealing malware as an initial access vector, exploiting trusted software distribution channels such as GitHub Actions and container registries to propagate malicious code. The group’s tooling style emphasizes leveraging legitimate build and release pipelines to evade detection, while the subsequent ransomware phase relies on the acquired credentials to move laterally and encrypt victim data. These TTPs represent the only confirmed behaviors attributed to Vect based on the reported incident.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources