TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns

    Published: 2026-04-27. Last Updated: 2026-04-27 14:01:17 UTC
    by Kenneth Hartman (Version: 1)
    0 comment(s)

    This update succeeds TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left the campaign in credential-monetization mode following the Cisco source code theft via Trivy-linked credentials, Google GTIG's formal designation of the operators as UNC6780 (with their credential stealer named SANDCLOCK), and the lapsed CISA KEV remediation deadline for CVE-2026-33634 with no standalone federal advisory. The Sportradar publication deadline flagged in Update 007 (approximately April 10 to 11) lapsed without a public CipherForce dump, and CipherForce's leak infrastructure has remained offline. Twelve days after Update 007, the technical compromise picture changed sharply across the W17 window (April 20 through April 26).

    The most significant development of the week was the end of TeamPCP's 26-day supply chain compromise pause, with three concurrent package compromises landing across npm, PyPI, and Docker Hub between April 21 and 22. The Checkmarx KICS Docker Hub repository was compromised on April 22 (claimed by TeamPCP via @pcpcats), the xinference PyPI package was poisoned the same day with a TeamPCP marker that the group publicly denied, and a self-propagating npm worm tracked as CanisterSprawl was identified by Socket and StepSecurity beginning April 21. The KICS Docker compromise then cascaded into a downstream compromise of @bitwarden/cli version 2026.4.0 the same evening when Bitwarden's Dependabot automation pulled the malicious checkmarx/kics:latest image into the Bitwarden CI/CD pipeline. Reporting suggests the campaign has visibly returned to its technical-discovery and active-compromise phase after spending most of April in credential-monetization mode; analysts assess the operators retain full operational capability despite the prior month's monetization failures.

    Dated event log

    • The supply chain pause ended decisively. Prior weekly and daily updates documented an approximately 26-day gap from the Telnyx PyPI disclosure (March 27) without new package compromises, and the W16 weekly characterized the campaign as being in a "credential monetization phase" rather than active compromise. The April 21 to 22 cluster of three new compromises across three different ecosystems (npm, PyPI, Docker Hub) ends that pause and demonstrates the operators retained the access, the publishing-credential foothold, and the operational tempo to mount synchronized multi-ecosystem operations. The KICS compromise specifically used valid Checkmarx publisher credentials, which suggests the credential-theft pipeline from prior campaigns has produced reusable access into vendor publishing infrastructure beyond the originally compromised ecosystems.
    • Cascading impact from one compromise to another is now empirically demonstrated. The Bitwarden CLI compromise was not a separate intrusion: it was a downstream consequence of the KICS Docker image push, propagated through Bitwarden's trusted Dependabot automation. Reporting suggests this is the first documented case in this campaign of a compromise of one popular developer tool automatically poisoning the build pipeline of another popular developer tool through ordinary dependency-update automation. Analysts assess this validates a long-flagged theoretical risk: in a supply chain campaign where security tooling is the target, automated pull-through compromises will compound exponentially with the popularity and trust of each compromised artifact.
    • The "TeamPCP claims one, denies the other" pattern is analytically significant. In the same 24 hour window, TeamPCP explicitly took credit for Checkmarx (via the @pcpcats account, with taunting language) but explicitly denied the xinference compromise that bore its branding marker. Both attacks share TeamPCP's operational signature (double base64 encoding, detached subprocess on import, exhaustive credential sweep). Reporting suggests three possible explanations: (1) genuine copycat or splinter actor reusing leaked TeamPCP tooling; (2) deliberate false flag by TeamPCP intended to muddy attribution; or (3) operational discipline whereby TeamPCP claims compromises it considers high-prestige (a security vendor) and disowns those it considers low-prestige or unprofitable (an inference framework with low corporate footprint). Analysts assess explanation (1) is most likely given the simultaneous scaling of the broader extortion ecosystem (Vect, ShinyHunters, CanisterSprawl), but cannot rule out the others.
    • Tier 1 coverage returned in force after six quiet weeks. BleepingComputer, Dark Reading, SecurityWeek, The Hacker News, and Cybernews all published original TeamPCP-related reporting during the target week, ending the longest dry spell since the campaign began. The catalyst was new technical compromise events rather than victim disclosures, consistent with the W16 analyst observation that mainstream coverage of this campaign is driven by novel compromises rather than ongoing extortion activity.
    • Vect's leak site went quiet despite prior projections. The W16 weekly identified a 9 day 8 hour negotiation countdown on the Guesty listing that placed expected publication around April 24. Monitoring of ransomware.live during the target week shows Vect's victim count remained at 25, with no new TeamPCP-tagged listings and no public publication of Guesty or S&P Global data through April 26. Reporting suggests one of three possibilities: (1) negotiations are progressing privately, (2) Vect is conserving public output while TeamPCP regains technical operational focus, or (3) the publishing infrastructure once again hit a disruption. Analysts assess this is the third consecutive lapsed Vect-or-CipherForce monetization deadline (after ShinyHunters/Cisco approximately April 3 and CipherForce/Sportradar approximately April 10 to 11), which is now a robust pattern.

    Watch items

    • xinference attribution resolution. Vendor analyses from JFrog, OX Security, StepSecurity, and Mend disagree on whether xinference is genuine TeamPCP, a copycat, or a deliberate false flag. The next coherent statement from Mandiant or GTIG (which formally tracks TeamPCP as UNC6780) will likely settle the question and is worth monitoring; absent that, watch for additional compromises bearing the same operator marker that TeamPCP either claims or denies, which would clarify the discipline-versus-copycat hypothesis.
    • Cascading downstream impact through Dependabot or similar automation. The Bitwarden CLI compromise is the first documented automation-pivoted cascade in this campaign. Watch for additional disclosed cases in the coming week, particularly from organizations whose CI/CD pipelines pulled checkmarx/kics during the April 22 14:17:59 UTC to 15:41:31 UTC window. Endor Labs and StepSecurity have published detection guidance; victim disclosures are likely to materialize on a 3 to 14 day delay as organizations complete forensic review of their own April 22 build artifacts.
    • CanisterSprawl ecosystem jump. Socket and StepSecurity flagged that CanisterSprawl jumps to PyPI when it discovers a PyPI publish token. Watch for the first confirmed PyPI compromise that shares CanisterSprawl indicators (ICP canister C2, postinstall execution pattern, the specific 40-category regex sweep), which would convert the cross-ecosystem capability from theoretical to demonstrated.
    • CISA standalone advisory or emergency directive. CISA has not issued a dedicated TeamPCP advisory in the 35 days since adding CVE-2026-33634 to the KEV catalog. Three concurrent compromises affecting Checkmarx, Bitwarden, Xorbits xinference, and Namastex Labs in a single 48 hour window during a sitting federal civilian remediation cycle creates additional pressure for a standalone advisory. Watch for any CISA, FBI, or Five Eyes joint product responsive to W17 events.
    • Vect publication or formal de-escalation. With three consecutive lapsed Vect-or-CipherForce monetization deadlines, watch for either a delayed public Guesty or S&P Global data dump or a formal Vect statement on the leak site. Continued silence into W18 increasingly favors the hypothesis that the TeamPCP-affiliated extortion arm is operationally constrained rather than tactically patient.

    Source index

    Tier 1 (major security publications)

    Tier 2 (vendor threat intelligence)

    Tier 3 (government or institutional)

    • No new dedicated CISA, FBI, NCSC, ACSC, CCCS, BSI, or Singapore CSA advisories have been reported for TeamPCP-related activity during the target week based on monitoring of the listed sources. The CISA KEV entry for CVE-2026-33634 from late March remains the only US federal action and was not updated this week. CERT-EU has not issued a follow-on bulletin to the European Commission disclosure. No Five Eyes joint advisory has been identified. The supply chain attacks on April 21 to 22 were sufficiently public to generate Tier 1 coverage; the absence of a corresponding CISA standalone advisory or emergency directive is itself a continuing signal.

    Tier 4 (social and dark web signal)

    Keywords: Bitwarden CLI CanisterSprawl Checkmarx KICS Dependabot cascade ShaiHulud supply chain attack TeamPCP xinference
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives