In what is being described as one of the most aggressive supply chain campaigns of 2026, the threat actor group TeamPCP has struck again. On April 22, 2026, security researchers at Socket and Sophos X-Ops identified a coordinated effort that compromised two of the industry’s most trusted developer tools: the Checkmarx KICS infrastructure scanner and the Bitwarden CLI.+1
This is the second time in a month that Checkmarx has been targeted, marking a relentless pivot by TeamPCP to weaponize security tooling against the very developers who use them for protection. By injecting credential-stealing malware into official distribution channels like Docker Hub, npm, and OpenVSX, the attackers have turned legitimate “security scans” into exfiltration engines.
Technical Breakdown: Poisoning the Well
The attack spanned multiple ecosystems, using a mix of compromised CI/CD secrets and sophisticated “backdated” commits to hide in plain sight.
1. The Checkmarx KICS Compromise (Docker Hub)
The Checkmarx KICS tool—downloaded over 5 million times—was compromised via its official Docker Hub repository.
- The Method: Attackers overwrote existing trusted tags (including
v2.1.20,alpine, andlatest) with malicious images. They also introduced a fake “update,” versionv2.1.21. - The Payload: The legitimate Go-based KICS binary was replaced with a version containing unauthorized exfiltration routines. When a developer runs a scan on their Terraform or Kubernetes files, the malware encrypts the scan report—which often contains sensitive infrastructure secrets—and sends it to an attacker-controlled domain:
audit.checkmarx[.]cx.
2. The Bitwarden CLI Hijack (npm)
Simultaneously, TeamPCP compromised a GitHub Action used in the Bitwarden CLI pipeline.
- The Result: A trojanized version of
@bitwarden/cli(v2026.4.0) was published to npm. - The Scope: Although it was live for only 90 minutes, any developer who updated their CLI during that window inadvertently installed a credential stealer. Bitwarden has confirmed that while the CLI tool was affected, end-user vault data remained secure.+1
3. VS Code & OpenVSX: The “mcpAddon” Masquerade
Checkmarx’s VS Code extensions (Developer Assist and AST-Results) were also tampered with.
- The Strategy: The attackers used a “dark commit” technique, backdating malicious code to 2022 to make it appear like a legacy feature.
- The Malware: A component named
mcpAddon.jswas introduced, masquerading as a feature for the Model Context Protocol (MCP). This script harvests a wide array of tokens, including AWS, Azure, GCP, and GitHub Auth tokens.
The Proliferating Threat: How the Malware Spreads
TeamPCP’s malware is designed for worm-like propagation. Once it steals a developer’s GitHub token, it doesn’t just stop at data theft:
- Workflow Injection: It automatically creates a new branch in the victim’s repositories and injects a rogue GitHub Action (
format-check.yml). - Secret Harvesting: This workflow triggers on every “push,” capturing any secrets available to that repository and uploading them as build artifacts for the attacker to collect.
- Downstream Poisoning: If the victim has write access to other npm or GitHub packages, the malware attempts to push malicious code to those repositories, continuing the cycle.
[Image: Infographic showing the TeamPCP lifecycle: Compromised Tool -> Stolen Token -> Malicious Workflow -> Downstream Repo Poisoning]
Risk-Impact Analysis
| Impacted System | Vulnerability | Consequence |
|---|---|---|
| CI/CD Pipelines | GitHub Actions / npm | Unauthorized code injection and secret theft from build environments. |
| Cloud Infrastructure | AWS / Azure / GCP | Full environment compromise via stolen authentication databases. |
| AI Workflows | Claude / MCP Configs | Exposure of proprietary AI prompts and model configurations. |
| Developer Identity | SSH Keys / GitHub Tokens | Long-term persistent access to private corporate codebases. |
Remediation: Immediate Actions Required
If your organization utilizes Checkmarx KICS, Bitwarden CLI, or Checkmarx VS Code extensions, follow these steps immediately:
1. Purge and Pin
- Docker: Run
docker rmion affected KICS tags and pull known-safe versions using Full SHA Hashes rather than mutable tags likelatest. - npm: Ensure Bitwarden CLI is updated to the patched version (post-v2026.4.0).
- VS Code: Uninstall and reinstall Checkmarx extensions; verify you are on a version released after April 23, 2026.
2. Mandatory Credential Rotation
Treat this as a full credential exposure event. You MUST rotate:
- GitHub Personal Access Tokens (PATs) and SSH keys.
- Cloud provider (AWS, Azure, GCP) access keys.
- npm and PyPI publishing tokens.
- Claude/MCP configuration secrets.
3. Audit for Persistence
Search your GitHub repositories for a workflow file named .github/workflows/format-check.yml. This is a signature of the TeamPCP “Shai-Hulud” worm. If found, your account has been used to spread the malware.
Conclusion: The Death of Implicit Trust
The TeamPCP campaign—which has already claimed victims like Trivy, LiteLLM, and Telnyx—proves that “official” repositories are no longer a guarantee of safety. When security tools become the primary vector for malware, the industry must shift from implicit trust to verified provenance.
Are you pinning your build tools to specific hashes? If not, your next “security scan” might be the very thing that compromises your entire cloud.
