When the Scanner Gets Scanned: How TeamPCP Turned Security Tools Into the Attack Surface
A Full Post-Mortem of the Trivy → Checkmarx → Bitwarden Cascade
TL;DR
A cybercrime crew dubbed TeamPCP executed a six-week cascading supply chain operation between February and April 2026 that may represent the most sophisticated "security vendor as pivot point" campaign ever documented. Beginning with a silent compromise of Aqua Security's Trivy vulnerability scanner, the attackers harvested CI/CD secrets from thousands of developer environments, then used those secrets to inject credential-stealing malware into Checkmarx KICS, LiteLLM, Telnyx, and finally the Bitwarden CLI password manager. Lapsus$ partnered for extortion, dumping a 96GB archive of Checkmarx source code, API keys, and database credentials. The final confirmed breach window closed on April 22 — but every tool poisoned along the way is still used daily by millions of developers worldwide.
The irony is brutal: the tools built to catch supply chain attacks were themselves the supply chain attack.
Background: The Developer Security Stack as a High-Value Target
For most enterprises, the "inner loop" of software delivery is now highly automated: code is committed, a CI/CD pipeline fires, security scanners check it, containers are built, and deployment happens — all without human touch. This automation is immensely efficient and immensely dangerous.
Every tool in that pipeline runs with elevated trust. CI/CD systems have read access to source code, write access to artifact registries, and secret mounts to cloud credentials. Vulnerability scanners like Trivy are deliberately given access to running containers, infrastructure manifests, and in many configurations, cloud provider credentials so they can scan live environments.
TeamPCP identified this trust topology as the perfect attack surface. If you compromise the scanner, you inherit the permissions of everything the scanner touches. And if the scanner is open source, you can inject your payload directly into the build artifact chain, ensuring every downstream user becomes a victim automatically — no phishing required.
This is the supply chain threat model at its most refined: trust transitivity exploitation at industrial scale.
Technical Analysis: The Six-Week Kill Chain
Phase 1: Trivy — Planting the Root (February–March 16, 2026)
Trivy is the dominant open-source vulnerability scanner maintained by Aqua Security. With over 23 million Docker Hub pulls and integration into virtually every major CI/CD platform (GitHub Actions, GitLab CI, CircleCI, Jenkins, ArgoCD), it is the de facto standard for container and infrastructure security scanning.
The initial Trivy compromise occurred in late February 2026. TeamPCP is believed to have obtained a maintainer's credentials — likely through a phishing campaign targeting the open source maintainer community, a pattern consistent with other known supply chain attacks. With repository write access, they made a surgical modification to Trivy's build pipeline, injecting a credential-harvesting module that would execute silently when Trivy ran against target environments.
On March 16, 2026, the malicious Trivy build was made available through official distribution channels. The payload collected:
- GitHub and GitLab tokens (from environment variables)
- npm and PyPI publishing tokens
- AWS, GCP, and Azure service account credentials
- SSH private keys
- Kubernetes config files (
~/.kube/config) - AI assistant configurations (including OpenAI API keys and Anthropic API keys)
All data was exfiltrated to attacker-controlled infrastructure using encrypted POST requests designed to blend with legitimate telemetry traffic. Defenders observing network logs would see what appeared to be standard scanner heartbeat traffic.
Trivy's install base meant that within 72 hours of the malicious build going live, approximately 1,000 cloud environments had already been compromised — Sophos X-Ops estimated this figure based on telemetry from its customer base, acknowledging this represented only a fraction of actual victims.
Phase 2: The Pivot — Using Trivy's Haul to Compromise Checkmarx KICS (March 23, 2026)
KICS (Keeping Infrastructure as Code Secure) is Checkmarx's open-source IaC scanner. It analyzes Terraform, CloudFormation, Dockerfile, Ansible, Helm, and Kubernetes manifests for security misconfigurations. Critically, KICS is used by security teams — its users disproportionately include security engineers, DevSecOps practitioners, and the teams responsible for their organizations' security posture.
Among the CI/CD secrets stolen from Trivy users were credentials granting write access to the Checkmarx KICS GitHub repositories and its associated Docker Hub account. This is where the cascade becomes viscerally dangerous: the vulnerability scanner's user base included security vendors, which meant compromising Trivy also compromised their downstream publishing pipelines.
On March 23, 2026, TeamPCP used these stolen credentials to:
1. Inject malware into the official checkmarx/kics Docker Hub image, replacing the legitimate KICS binary with a backdoored version
2. Poison two GitHub Actions workflows in the KICS repository, adding a post-execution credential-harvesting step
3. Compromise two OpenVSX marketplace plugins maintained under Checkmarx's organizational account
Socket.dev's research team analyzed the poisoned Docker image and found that "the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version." The malware used the same credential collection profile as the Trivy payload, adding AI assistant configurations (a new target class) alongside the standard credential categories.
The C2 for this phase: audit.checkmarx[.]cx resolving to 94.154.172[.]43 — a domain specifically crafted to appear as legitimate Checkmarx telemetry infrastructure. Any network monitoring that allowed Checkmarx outbound traffic would have silently permitted the exfiltration.
Phase 3: Data Exfiltration from Checkmarx's Own GitHub (March 30, 2026)
The credentials harvested by the poisoned KICS tooling did not just affect KICS users. The compromised GitHub Actions workflows also ran within Checkmarx's own CI environment, giving the attackers persistent access to Checkmarx's internal GitHub repositories.
Over the week following the initial KICS compromise, TeamPCP used this access to exfiltrate Checkmarx's internal intellectual property. On March 30, 2026, the exfiltration was complete: source code, employee databases, API keys, and MongoDB and MySQL database credentials were stolen.
Checkmarx did not detect this exfiltration for approximately one week. When they did, they removed the malicious packages, revoked credentials, and blocked outbound access to the attacker's infrastructure. Standard incident response — but the data was already gone.
Phase 4: The Return — A Second Wave on April 22, 2026
This is where the Checkmarx incident becomes exceptional. Despite containment efforts, the attackers "either retained or regained access to the environment" and on April 22, 2026 — exactly one month after initial compromise — launched a second wave:
- A fresh poisoned DockerHub KICS image
- A backdoored GitHub Action
- A trojanized VS Code extension
- A malicious Developer Assist extension
The April 22 wave is significant because it coincides precisely with the Bitwarden CLI attack, and the two share the same C2 domain. The coordinated timing and shared infrastructure strongly suggest a single threat actor group — TeamPCP — operating against multiple targets simultaneously.
Phase 5: Bitwarden CLI — When the Password Manager Becomes the Weapon (April 22, 2026)
Bitwarden is arguably the most security-conscious choice a developer can make for password management. It is open source, audited by third parties, and trusted by over 10 million users including 50,000 business customers. Its CLI version is widely used in automation scripts, CI/CD pipelines, and server-side workflows.
On April 22 at 5:57 PM ET, a malicious version of the Bitwarden CLI — 2026.4.0 — was published to the npm registry. This version had no corresponding release on Bitwarden's GitHub repository, an immediate indicator that something was wrong. Socket.dev detected it. Bitwarden pulled it. Total window: 1 hour 33 minutes.
But the payload was fully functional during that window. Any developer who ran npm install @bitwarden/cli or updated the package during that 93-minute window received a version that would harvest and exfiltrate:
- npm tokens
- SSH keys
- Cloud credentials
- AI assistant API keys
- Bitwarden vault access (the crown jewel)
Bitwarden's own post-incident statement confirmed: "The investigation found no evidence that end user vault data was accessed or at risk." The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline to publish the malicious npm version — the same technique pattern as the Checkmarx attack. The Checkmarx compromise appears to have provided the initial access vector.
Phase 6: Lapsus$ Monetization — The 96GB Dump
Simultaneously with the April 22 technical campaign, intelligence surfaced on social media and hacker forums that Lapsus$ — the extortion group known for compromising Okta, NVIDIA, Samsung, and Rockstar Games — had formed a partnership with TeamPCP for monetization.
On April 26, 2026, Lapsus$ added Checkmarx to its Tor-based leak site, publishing what it claimed was a 96GB archive containing:
- Checkmarx source code
- Employee databases
- API keys
- MongoDB and MySQL credentials
- Internal documentation
Checkmarx confirmed: "Current evidence indicates that this data originated from Checkmarx's GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2026."
Mandiant was retained to assist with the investigation. Law enforcement was notified.
IOCs / Indicators of Compromise
| Indicator | Type | Context |
|-----------|------|---------|
| audit.checkmarx[.]cx | Domain | C2 for both KICS and Bitwarden payloads |
| 94.154.172[.]43 | IP | Resolves audit.checkmarx[.]cx |
| checkmarx/kics:latest (Docker Hub, March 23–April 22) | Container image | Poisoned build windows |
| @bitwarden/cli version 2026.4.0 (npm) | npm package | Malicious, April 22 2026 |
| lightning PyPI versions 2.6.2, 2.6.3 | PyPI package | Related TeamPCP campaign, April 30 2026 |
| TeamPCP GitHub Actions modification signatures | Behavioral | Post-build credential-harvesting step injected |
| Outbound POST requests to *.checkmarx.cx subdomains from CI runners | Network | Exfil indicator |
Affected safe/clean versions:
- Bitwarden CLI: any version except
2026.4.0; use2026.4.1+ - PyTorch Lightning:
2.6.1is clean;2.6.2and2.6.3are malicious; use2.6.4+when available - KICS Docker images: pull-dated after April 23, 2026 from verified digest
The Lapsus$ + TeamPCP Partnership: A New Criminal Business Model
The collaboration between TeamPCP and Lapsus$ deserves separate analysis. Historically, supply chain attackers and extortion groups have operated in separate lanes: supply chain crews silently harvest credentials for months; extortion groups combine stolen data with ransomware or public dumps for maximum pressure.
The TeamPCP/Lapsus$ model collapses this separation. TeamPCP is the technical collection arm; Lapsus$ provides the monetization infrastructure (leak site, negotiation leverage, media amplification). This partnership model offers something neither group could achieve alone:
- TeamPCP's supply chain access yields high-value intellectual property (source code, API keys) that ransomware typically destroys rather than leverages
- Lapsus$ provides a proven extortion brand that creates board-level panic without requiring ransomware deployment — no encryption, no noisy lateral movement, no EDR triggers
This is extortion-as-a-service applied to supply chain operations — and it worked. Checkmarx, one of the world's foremost application security vendors, is now a confirmed victim with publicly dumped credentials and source code.
Lyrie Take: The Meta-Irony That Should Reframe How We Think About Security Tools
The Trivy→Checkmarx cascade exposes something the security industry has been reluctant to confront: the security stack itself is the highest-value supply chain target.
Think about what runs with elevated permissions in a modern enterprise:
- Vulnerability scanners (Trivy, KICS, Snyk, Semgrep)
- Secret scanners (TruffleHog, Gitleaks, detect-secrets)
- SAST tools (CodeQL, Checkmarx, Veracode)
- CI/CD agents (GitHub Actions runners, GitLab Runners, Jenkins agents)
- Password managers (Bitwarden, 1Password, HashiCorp Vault)
Each of these tools runs in privileged contexts, with access to the full spectrum of secrets that protect your production environment. And each of them is open source or has open-source components. And each of them pulls dependencies from the same npm/PyPI/Docker registries that attackers now treat as attack surfaces.
The attack surface isn't your application code. The attack surface is the toolchain that reviews your application code.
Lyrie's autonomous security model applies to exactly this: continuous runtime integrity validation of the tools in your CI/CD pipeline. Behavioral baselining of scanner processes. Detection of unexpected outbound connections from build runners. Cryptographic attestation of build artifacts against known-good hashes before deployment.
The question isn't whether your code is clean. The question is whether the tool that told you your code was clean is clean.
Defender Playbook
Immediate (24-48 hours):
1. Audit all Bitwarden CLI instances — confirm no 2026.4.0 is present in any automated workflow, container image, or developer machine. Force update to latest verified version.
2. Audit PyTorch Lightning in ML pipelines — versions 2.6.2 and 2.6.3 are malicious. Freeze to 2.6.1 until 2.6.4+ is released and verified.
3. Check for audit.checkmarx[.]cx in DNS/proxy logs — any hits from CI runners or developer workstations going back to mid-March are potential indicators of compromise. Incident response if found.
4. Rotate all secrets exposed in KICS, Trivy, or Bitwarden-adjacent workflows — if any of these tools were used during the March 16 – April 22 window, assume credential exposure. Rotate: GitHub tokens, npm tokens, cloud IAM credentials, SSH keys, Kubernetes configs.
Short-term (1-2 weeks):
5. Pin all CI/CD tool versions to verified digests — never use latest or floating version tags for security tools. Enforce version pinning in pipeline configs with commit SHA references.
6. Add egress filtering to CI runners — CI/CD runners should have no outbound internet access except to explicitly allowlisted artifact registries. Unexpected outbound from a build runner is an immediate incident trigger.
7. Implement SLSA Level 2+ for internal tooling — software provenance attestation for every artifact used in your build pipeline. Builders should produce signed attestations; consumers should verify before use.
8. Audit GitHub Actions permission scopes — contents: write and packages: write permissions in workflows should be exceptions, not defaults. Implement workflow permission hardening across all repositories.
Structural (1-3 months):
9. Establish a security tool inventory with integrity monitoring — know every scanner, SAST tool, and secret manager running in your environment. Monitor for unexpected version changes.
10. Deploy runtime behavioral monitoring on build runners — process execution, network connections, and file system writes from CI runners should be baselined and anomaly-detected. A scanner making unusual POST requests during a build is a detectable signal.
11. Treat your security vendor as a third-party risk — Checkmarx, Trivy, Bitwarden — these are software vendors like any other. Include them in your third-party risk assessment program. Monitor their security advisories. Have a rollback plan when they are compromised.
12. Implement a cryptographic artifact trust model — evaluate Sigstore/Cosign for container image signing and verification in your pipeline. Docker Hub's "official image" designation is not sufficient; verify build provenance.
Sources
1. SecurityWeek — "Checkmarx Confirms Data Stolen in Supply Chain Attack" (April 29, 2026): https://www.securityweek.com/checkmarx-confirms-data-stolen-in-supply-chain-attack/
2. The Register — "Ongoing supply-chain attack 'explicitly targeting' security, dev tools" (April 27, 2026): https://www.theregister.com/2026/04/27/supply_chain_campaign_targets_security/
3. CSO Online — "Bitwarden CLI password manager trojanized in supply chain attack" (April 25, 2026): https://www.csoonline.com/article/4162865/bitwarden-cli-password-manager-trojanized-in-supply-chain-attack.html
4. Sophos X-Ops — "Supply chain attacks hit Checkmarx and Bitwarden developer tools" (April 27, 2026): https://www.sophos.com/en-us/blog/supply-chain-attacks-hit-checkmarx-and-bitwarden-developer-tools
5. SecurityWeek — "Bitwarden NPM Package Hit in Supply Chain Attack" (April 25, 2026): https://www.securityweek.com/bitwarden-npm-package-hit-in-supply-chain-attack/
6. Socket.dev — "lightning PyPI Package Compromised in Supply Chain Attack": https://socket.dev/blog/lightning-pypi-package-compromised
7. The Hacker News — "SAP-Related npm Packages Compromised by Mini Shai-Hulud" (April 30, 2026): https://thehackernews.com/2026/04/sap-npm-packages-compromised-by-mini.html
8. StepSecurity Blog — "A Mini Shai-Hulud Has Appeared": https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared
9. Checkmarx Security Advisory (April 29, 2026): https://checkmarx.com/blog/supply-chain-security-incident-update/
Lyrie.ai Cyber Research Division — Senior Analyst Desk
Lyrie Verdict
Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.