nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Checkmarx Supply‑Chain Compromise Linked to TeamPCP Canister‑Style Worm Activity

Du'aine Davis · 2026-04-24T08:48:48+00:00

Observed in the wild * Between March-April 2026, developers and organisations using Checkmarx KICS Docker images and VS Code extensions were exposed to a supply‑chain compromise. Malicious artefacts replaced legitimate releases in official channels, risking credential exposure during IaC scanning and developer workflows.…

Du'aine Davis

Observed in the wild

Between March-April 2026, developers and organisations using Checkmarx KICS Docker images and VS Code extensions were exposed to a supply‑chain compromise. Malicious artefacts replaced legitimate releases in official channels, risking credential exposure during IaC scanning and developer workflows. Impact extended to CI/CD environments and downstream ecosystems where stolen credentials enabled further propagation.
The campaign is linked to TeamPCP, which used tag overwrites, trojanised containers, and malicious IDE extensions to deliver a multi‑stage credential stealer. Payloads executed via the Bun runtime, harvesting cloud, GitHub, npm, and CI secrets, then exfiltrating them and abusing stolen access to spread further. This mirrors CanisterSprawl, a TeamPCP‑style self‑propagating supply‑chain worm model.
Organisations should treat affected KICS scans and developer systems as potentially compromised, rotate exposed secrets, and audit CI/CD pipelines for unauthorised workflows. Use Microsoft Defender for Cloud and Endpoint to detect suspicious credential access, container tag changes, unusual developer tool executions (e.g. Bun), and outbound exfiltration attempts from build or IDE hosts.

Malicious Checkmarx Artifacts Found in Official KICS Docker ...
CanisterSprawl - Socket

Find more posts tagged with

Threat discussion

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

Bitwarden Confirms Limited CLI Exposure in Checkmarx Supply‑Chain Incident

On 23 April, Bitwarden confirmed that a malicious package was briefly distributed via npm as part of the broader Checkmarx supply‑chain incident. The issue affected the @bitwarden /cli package version 2026.4.0, available for under two hours on 22 April. Bitwarden stated that no vault data, production systems, or core codebases were compromised, and that only users who installed that specific version via npm were impacted.
The activity involved compromise of the npm distribution path rather than Bitwarden’s source repositories or infrastructure. The malicious release aligned with the Checkmarx TeamPCP‑linked campaign targeting CI and package publishing workflows, enabling credential and secret harvesting from developer environments. The incident reinforces that publishing pipelines remain a high‑risk stage in software supply chains, even where code integrity and access controls are otherwise sound.
Bitwarden advised affected users to uninstall the compromised CLI version, clear npm caches, rotate exposed secrets such as API tokens and SSH keys, and review CI, GitHub activity, and workflows for misuse. From a Defender perspective, organisations should monitor developer endpoints for unexpected npm install activity, abnormal child processes, access to environment variables, and unauthorised outbound connections following package installation.

Bitwarden Statement on Checkmarx Supply Chain Incident - Announcements / Notices - Bitwarden Community Forums

See what's trending

Click on a tag to discover all the published content related to it.