TeamPCP Supply Chain Campaign Resumes After 26-Day Pause with Three Concurrent Compromises
The TeamPCP supply chain campaign resumed after a 26-day pause with three concurrent compromises targeting Checkmarx KICS, Bitwarden CLI, and xinference, alongside the discovery of a self-propagating npm worm called CanisterSprawl.
The TeamPCP supply chain campaign resumed with a vengeance after a 26-day pause on April 21-22, 2026, with three concurrent compromises across Docker Hub, npm, and PyPI. The Checkmarx KICS Docker Hub repository was compromised on April 22, leading to a downstream compromise of @bitwarden/cli version 2026.4.0 when Bitwarden's Dependabot automation pulled the malicious checkmarx/kics:latest image into the Bitwarden CI/CD pipeline. A self-propagating npm worm called CanisterSprawl was identified across 16 malicious packages, harvesting credentials via regex and exfiltrating to an Internet Computer Protocol canister. The xinference PyPI package was also poisoned, though TeamPCP publicly denied involvement in that incident.
The Checkmarx KICS compromise involved a threat actor authenticating to Docker Hub using valid Checkmarx publisher credentials and pushing malicious images to the official checkmarx/kics repository. Five existing tags (latest, v2.1.1.20, v2.1.20-debian, alpine, debian) were overwritten to malicious digests, and two new tags (v2.1.21, v2.1.21-debian) were created. The poisoned KICS binary retained legitimate scanning behavior and added a covert telemetry path that exfiltrated infrastructure-as-code scan output to attacker-controlled infrastructure at hxxps://audit.checkmarx[.]cx/v1/telemetry with User-Agent "KICS-Telemetry/2.0". The dangerous Docker Hub window was 14:17:59 UTC to 15:41:31 UTC. Trojanized cx-dev-assist (versions 1.17.0 and 1.19.0) and ast-results (versions 2.63.0 and 2.66.0) VS Code and Open VSX extensions were also identified, which silently downloaded a second-stage mcpAddon.js payload from a backdated commit in the official Checkmarx GitHub repository and executed it via the Bun runtime without integrity verification.
The CanisterSprawl worm was identified by Socket and StepSecurity beginning April 21, embedded across at least 16 malicious package versions across the @automagik, pgserve, @fairwords, and @openwebconcept publisher namespaces. The worm executes via npm postinstall hook, harvests roughly 40 credential categories via regex sweep, and exfiltrates to a dual-channel endpoint that includes an Internet Computer Protocol (ICP) canister, the same C2 architecture pattern used by TeamPCP's CanisterWorm. Socket and StepSecurity assess the lineage as TeamPCP-style without making a definitive same-actor attribution. The worm is cross-ecosystem, jumping from npm to PyPI if it discovers a PyPI publish token on the infected host.
The xinference PyPI package was poisoned on April 22 with three consecutive releases (versions 2.6.0, 2.6.1, and 2.6.2) published from a bot account with a malicious base64-encoded payload injected directly into init.py, executing automatically on package import. The payload swept AWS credentials, Go…
TeamPCP claimed responsibility for the Checkmarx KICS compromise via the @pcpcats X account, posting "Thank you OSS distribution for another very successful day at PCP inc." shortly after Socket and Checkmarx coordinated public disclosure. This is the second documented Checkmarx compromise by TeamPCP within sixty days; the prior incident in March affected the kics-github-action and ast-github-action GitHub Actions tags.
The campaign has visibly returned to its technical-discovery and active-compromise phase after spending most of April in credential-monetization mode. Analysts assess the operators retain full operational capability despite the prior month's monetization failures. The ADT breach, attributed to a vishing attack against an ADT employee's Okta single sign-on account, is not a confirmed as a separate incident from the TeamPCP supply chain campaign, though ShinyHunters has been documented in prior updates as part of the TeamPCP-affiliated extortion ecosystem.
The resumption of the TeamPCP campaign underscores the persistent threat of supply chain attacks targeting CI/CD pipelines and package registries. The use of ICP canisters for C2 infrastructure and the cross-ecosystem propagation of CanisterSprawl highlight the evolving sophistication of the threat actors. Organizations are advised to audit their use of Checkmarx KICS, @bitwarden/cli, and xinference packages, and to implement strict controls on automated dependency updates.