TL;DR
An ongoing campaign — attributed with moderate confidence to a threat actor cluster known as TeamPCP — has systematically compromised developer and security tooling throughout early 2026. The attack vector is credential theft against package registry publishers, not code repositories. The payload is elegant and brutal: the poisoned tools keep doing their legitimate job while quietly exfiltrating the infrastructure secrets those same scans uncover. KICS scans your Terraform configs. The backdoored KICS sends your Terraform configs to the attacker. Victims include Checkmarx (twice), Trivy, LiteLLM, Bitwarden CLI, and at minimum a dozen smaller packages. The dangerous KICS window was 84 minutes. In enterprise CI/CD, that is more than enough.
Background: Why Security Tools Are the Perfect Supply Chain Target
The conventional supply chain attack model targets the broadest possible dependency graph: a widely-used utility library with tens of millions of weekly downloads. The attacker maximizes blast radius by poisoning something omnipresent — event-stream, ua-parser-js, colors.js.
TeamPCP's 2026 campaign is strategically different. It targets a narrower but more privileged dependency layer: DevSecOps tooling. The logic is uncomfortable to sit with:
- A static analysis scanner runs with read access to your entire codebase and configuration tree.
- A container security scanner runs inside your CI runner with access to environment variables, cloud credentials, and Docker secrets.
- A CLI password manager runs as a trusted binary, often with keyring or secrets-manager integrations.
These tools already have the keys to your kingdom. The attacker does not need to pivot, escalate, or exploit a second vulnerability. The malicious code just has to exfiltrate the data that the legitimate tool was already harvesting. It is, as one researcher put it, an adversarial turn of "security by design."
The broader pattern also targets tooling that runs autonomously in CI/CD pipelines — meaning no human is watching when the exfiltration happens, log artifacts are often discarded, and the blast radius is not one developer's workstation but potentially every infrastructure environment the pipeline touches.
Technical Analysis
Act I — The Trivy Precedent (Early 2026)
The campaign's documented first confirmed hit was the Trivy container vulnerability scanner, maintained by Aqua Security. While full technical details remain partially undisclosed by the vendor, the attack shape was identical to what followed: stolen publisher credentials used to push a malicious image to Docker Hub under the legitimate Aqua namespace. The legitimate scanning functionality was preserved. An exfiltration path was added.
Trivy set the template: compromise the publisher credential, overwrite high-traffic tags, blend malicious code with the legitimate binary surface, ship to the existing userbase via normal pull mechanisms. No CVE. No code vulnerability. Just trust exploitation.
Act II — The March GitHub Actions Injection
In March 2026, TeamPCP escalated against Checkmarx. Rather than going directly to Docker Hub, the group first compromised two of Checkmarx's GitHub Actions workflows:
checkmarx/ast-github-actioncheckmarx/kics-github-action
Both are officially maintained by Checkmarx and used by thousands of repositories to integrate KICS (Keeping Infrastructure as Code Secure) scanning into GitHub pipelines. The injected payload was a credential stealer targeting CI environment variables — specifically cloud provider tokens (AWS_ACCESS_KEY_ID, AZURE_CLIENT_SECRET, GOOGLE_APPLICATION_CREDENTIALS), Docker registry credentials, and any secrets exposed to the runner environment.
This phase affected anyone running the kics-github-action during the compromise window. The GitHub-hosted credential thefts would not show up in Docker Hub logs, making detection significantly harder than the subsequent Docker Hub push.
Act III — The Docker Hub KICS Overwrite (April 22, 2026)
On April 22, 2026, 12:35 UTC, the most surgical phase of the campaign executed. A threat actor authenticated to Docker Hub using valid Checkmarx publisher credentials — credentials that appear to have been harvested during the March GitHub Actions compromise or through a parallel social engineering track — and pushed malicious images to the checkmarx/kics repository.
The following tags were overwritten to attacker-controlled digests:
| Tag | Status |
|-----|--------|
| latest | Overwritten |
| v2.1.20 | Overwritten |
| v2.1.20-debian | Overwritten |
| alpine | Overwritten |
| debian | Overwritten |
Two new tags were also created:
| Tag | Status |
|-----|--------|
| v2.1.21 | New (malicious) |
| v2.1.21-debian | New (malicious) |
The dangerous pull window was confirmed by Docker's forensic analysis: 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC — approximately 84 minutes. During that window, any CI/CD pipeline configured to pull checkmarx/kics:latest or the named version tags would have received the backdoored image.
The Payload Mechanics
The poisoned KICS binary preserved the full legitimate scanning capability. The modification was additive, not substitutive — KICS continued to generate valid IaC scan output. The malicious addition:
1. Collected the full, unredacted scan report including all infrastructure secrets, credentials, and configuration data surfaced by the KICS engine (Terraform, CloudFormation, Kubernetes manifests, Helm charts, Ansible playbooks).
2. Encrypted the collected data using asymmetric encryption with an attacker-controlled public key embedded in the binary.
3. Exfiltrated to audit.checkmarx[.]cx — a lookalike domain registered by the attacker to blend with legitimate Checkmarx telemetry endpoints. The exfiltration used User-Agent: KICS-Telemetry/2.0, mimicking a plausible telemetry header that SOC rules are unlikely to alert on.
The sophistication here deserves emphasis: the attacker-controlled domain is not a generic generic C2 domain. It is a typosquat constructed to defeat both human review of network logs and automated domain reputation checks. Security teams reviewing network egress from their CI runners would see traffic to audit.checkmarx.cx and likely interpret it as legitimate product telemetry.
Act IV — The Bitwarden CLI npm Compromise
Running parallel to the Docker Hub campaign was a coordinated npm attack. The package @bitwarden/[email protected] was published to npm under credentials obtained through the same cluster of infrastructure access. Endor Labs researchers identified a forensic tell that confirms tampering: a version skew between the package manifest and the embedded binary metadata.
package.jsondeclares version2026.4.0build/bw.jsinternal metadata still references2026.3.0
This version skew is the fingerprint of a repackaged artifact — the attacker took the legitimate 2026.3.0 binary, added the malicious payload, bumped the version in the manifest only (missing the internal metadata), and published. The payload targets:
- Cloud provider credentials from environment variables
- CI/CD system tokens (GitHub, GitLab, CircleCI, Buildkite)
- Developer workstation secrets (SSH keys, GPG keys, browser-stored credentials)
Endor Labs' analysis links this to the same actor cluster via overlapping C2 infrastructure and identical encryption/exfiltration patterns.
The Lapsus$ Connection
Adding another layer: BleepingComputer reports that Checkmarx has confirmed that Lapsus$ — the data extortion group responsible for high-profile breaches of Nvidia, Samsung, Okta, and Microsoft in 2022 — has claimed responsibility for a separate but related Checkmarx intrusion in which source code and internal secrets were dumped. Whether TeamPCP is a successor group, affiliated operation, or the same actors operating under updated tradecraft is not yet publicly confirmed. The temporal overlap and targeting profile are notable.
Timeline Summary
| Date | Event |
|------|-------|
| Early March 2026 | TeamPCP compromises kics-github-action and ast-github-action CI workflows |
| March 23, 2026 | First KICS Docker Hub injection by TeamPCP |
| April 2026 | @bitwarden/[email protected] published to npm |
| April 22, 2026, 12:35 UTC | Second KICS Docker Hub push with valid Checkmarx credentials |
| April 22, 2026, 14:17–15:41 UTC | Active dangerous pull window (84 minutes) |
| April 22–23, 2026 | Docker and Checkmarx identify and remediate poisoned tags |
| April 23, 2026 | Docker publishes incident post-mortem |
| April 27, 2026 | The Register reports ongoing campaign expanding to additional targets |
IOCs / Indicators of Compromise
Malicious domain:
audit.checkmarx[.]cx— C2 / exfiltration endpoint (lookalike domain)
Malicious Docker tags (now remediated — check your pull logs):
checkmarx/kics:latest(pulled between 2026-04-22 14:17:59 UTC – 15:41:31 UTC)checkmarx/kics:v2.1.20(same window)checkmarx/kics:v2.1.20-debian(same window)checkmarx/kics:alpine(same window)checkmarx/kics:debian(same window)checkmarx/kics:v2.1.21(all pulls — this tag was entirely attacker-created)checkmarx/kics:v2.1.21-debian(all pulls)
Malicious npm package:
@bitwarden/[email protected]— do not install; uninstall if present
User-Agent pattern (network detection):
KICS-Telemetry/2.0in HTTP egress from CI runners (not generated by legitimate KICS)
Version skew check (Bitwarden CLI):
- Mismatch between
package.jsonversion field andbuild/bw.jsinternal metadata version string
Affected GitHub Actions:
checkmarx/kics-github-action— audit workflow runs from March 2026checkmarx/ast-github-action— audit workflow runs from March 2026
Lyrie Take
This campaign is a preview of a structural problem that the industry has not adequately priced in.
The security toolchain sits in an extraordinarily privileged position in modern software delivery. SAST scanners read source code. IaC scanners read infrastructure definitions complete with variable interpolations. Credential scanning tools are, by definition, processing secrets. Container scanners run inside your most sensitive CI environments. These tools are trusted implicitly — they are, after all, the tools you use to detect attackers.
TeamPCP identified this trust asymmetry and built a campaign around it. The attack surface is not a vulnerability. It is an architectural assumption: that the tools in your security pipeline are clean. That assumption has now demonstrably failed, twice against the same vendor, with documented parallel attacks across multiple ecosystems simultaneously.
The autonomous security problem makes this worse. When CI/CD runs KICS unattended at 3 AM to validate a Terraform PR, there is no human reviewing the image digest. The pipeline trusts the tag. The tag was poisoned for 84 minutes. The secrets in that Terraform file — AWS access keys, Azure client secrets, GCP service accounts — are gone. No alert fired because the scanner completed successfully and returned a clean bill of health.
Lyrie's position: Autonomous detection must extend to the detection toolchain itself. Trust verification cannot stop at the application layer. Every component of the security pipeline — scanner images, action workflows, CLI tools — requires integrity verification against known-good cryptographic digests before execution. This is not a nice-to-have. TeamPCP just demonstrated it is mandatory.
Defender Playbook
Immediate (0–24 hours)
1. Audit CI/CD pull logs for checkmarx/kics pulls between 2026-04-22 14:17:59 UTC and 2026-04-22 15:41:31 UTC. If any pipeline pulled during this window, treat all environment variables and cloud credentials accessible in that pipeline as compromised.
2. Search npm audit logs for @bitwarden/[email protected] installation. If found: rotate all credentials present on the affected machine or CI environment. Uninstall immediately (npm uninstall -g @bitwarden/cli then reinstall @bitwarden/[email protected] from official Bitwarden channels with digest verification).
3. Check GitHub Actions audit logs for any runs of checkmarx/kics-github-action or checkmarx/ast-github-action during March 2026. Treat any secrets exposed to those runs as potentially compromised.
4. Rotate proactively if you run KICS in CI on Terraform, CloudFormation, or Kubernetes manifests — your IaC files contain exactly what the attacker wanted.
5. Search network egress logs for DNS queries or HTTP traffic to audit.checkmarx.cx (note: .cx not .com) from any CI/CD infrastructure.
Short-Term (1–7 days)
6. Pin all security scanner images to SHA-256 digests, not mutable tags. checkmarx/kics:latest is not a version — it is a trust signal that can be revoked and replaced without notice. Use: checkmarx/kics@sha256:<known-good-digest>.
7. Implement image signing verification using Docker Content Trust (DCT) or Sigstore/cosign. Before a CI pipeline executes a scanner image, verify the cryptographic signature against the official publisher key.
8. Add network egress policy to CI runners: security tooling should not make outbound connections to arbitrary internet destinations. If a scanner has a telemetry feature, disable it and explicitly allow only the documented endpoints — verified against the official docs.
9. Review all security tool GitHub Actions pins. Every uses: some-vendor/scan-action@v2 in your workflows should be pinned to a commit SHA, not a mutable version tag.
Strategic (30+ days)
10. Establish a SBOM and integrity baseline for your security toolchain. Treat your security pipeline tools with the same rigor you apply to production dependencies.
11. Consider publisher credential security as a vendor risk criterion. If a vendor's publisher credentials can be stolen and used to push malicious packages without triggering internal alerts for 84+ minutes, that vendor's tooling carries elevated supply chain risk.
12. Deploy runtime behavioral monitoring inside CI runners. Unexpected outbound connections from a scanner process should generate an immediate alert — this is the detection that would have caught the KICS exfiltration in real time.
Sources
1. Docker Blog — "Trivy, KICS, and the shape of supply chain attacks so far in 2026" (Apr 23, 2026): https://www.docker.com/blog/trivy-kics-and-the-shape-of-supply-chain-attacks-so-far-in-2026/
2. BleepingComputer — "New Checkmarx supply-chain breach affects KICS analysis tool" (Apr 23, 2026): https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
3. The Register — "Ongoing supply-chain attack 'explicitly targeting' security, dev tools" (Apr 27, 2026): https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/
4. Endor Labs — "Shai-Hulud: The Third Coming — Inside the Bitwarden CLI 2026.4.0 Supply Chain Attack" (Apr 23, 2026): https://www.endorlabs.com/learn/shai-hulud-the-third-coming
5. Unit 42 / Palo Alto Networks — "The npm Threat Landscape: Attack Surface and Mitigations" (Apr 28, 2026): https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
6. SafeDep — "Bitwarden CLI Supply Chain Compromise" (Apr 24, 2026): https://safedep.io/bitwarden-cli-supply-chain-compromise/
7. Cybernews — "Checkmarx suffers second massive supply chain attack, infecting developers with malware" (Apr 27, 2026): https://cybernews.com/security/checkmarx-popular-tools-spread-credential-stealing-malware/
8. Huntress — "Tradecraft Tuesday Recap: axios npm Supply Chain Compromise" (Apr 22, 2026): https://www.huntress.com/blog/axios-npm-compromise
Lyrie.ai Cyber Research Division — Senior Analyst Desk
Lyrie Verdict
Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.