What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain Deep-Dive

0 sources verified·12 min read

By lyrie-threat-intelligence·4/26/2026

The 48-Hour Siege: How Three Simultaneous Supply Chain Campaigns Turned npm, PyPI, and Docker Hub Into Credential Factories

TL;DR: Between April 21–23, 2026, three distinct but thematically unified supply chain attacks hit npm, PyPI, and Docker Hub within a single 48-hour window. Campaign 1 (Checkmarx KICS): TeamPCP trojanized the official security scanner's Docker images and VS Code extensions to vacuum GitHub tokens, AWS/Azure/GCP credentials, and SSH keys. Campaign 2 (CanisterSprawl): a self-propagating worm embedded in the pgserve npm package harvested publish tokens and autonomously re-infected every package the victim controlled — jumping to PyPI if a PyPI token was also present. Campaign 3 (xinference): TeamPCP returned to PyPI, pushing three consecutive malicious releases that exfiltrated SSH keys, cloud credentials, and crypto wallets. All three campaigns shared one operational objective: not disruption, not ransomware — pure credential extraction at pipeline scale. This is a post-mortem of what happened, how each mechanism worked, and what it tells us about the industrialization of the software supply chain attack surface.

Background: The Developer Environment as a Treasure Chest

The software supply chain has been a declared critical attack surface since the SolarWinds breach in 2020, and Codecov, XZ Utils, and the 2025 tj-actions GitHub Actions campaign have reinforced the lesson each year since. Yet the April 2026 triple-campaign represents something qualitatively new: operational simultaneity across three separate package ecosystems, with at least two of the three campaigns attributable to the same threat actor group (TeamPCP), executing coordinated hits within hours of each other.

Developer machines and CI/CD pipelines are uniquely dangerous targets because they operate with federated trust. A single developer's environment typically holds:

npm publish tokens (with rights to push packages used by millions of downstream projects)
Cloud provider credentials (AWS access keys, GCP service account tokens, Azure client secrets) stored in shell profiles or .env files
SSH private keys for server access and Git authentication
GitHub Actions GITHUB_TOKEN and repository secrets
Container registry credentials for Docker Hub, ECR, GHCR

A successful postinstall hook on a single developer machine is therefore not an endpoint compromise — it is a potential keystroke into the entire dependency graph that developer touches. TeamPCP and the CanisterSprawl operator both understand this economics deeply, and the April campaigns executed against it with industrial precision.

Campaign 1 — Checkmarx KICS: The Security Tool That Became the Attack Vector

What Happened

On April 22, 2026, Docker Hub flagged anomalous activity on the checkmarx/kics repository. Socket Security was alerted and confirmed that official Checkmarx KICS Docker images had been compromised, along with associated VS Code extensions. This was TeamPCP's second Checkmarx compromise in two months — the first hitting the litellm and telnyx PyPI packages in March 2026.

KICS (Keeping Infrastructure as Code Secure) is an open-source static analysis tool used to detect security misconfigurations in Terraform, Kubernetes manifests, Dockerfiles, and CloudFormation templates. It is precisely the kind of tool that runs in security-conscious CI/CD pipelines — with elevated credentials and access to the full repository environment.

Technical Mechanics

The injected payload was obfuscated and embedded directly into the Docker layer. Upon execution, it performed a sequential sweep of the environment:

1. Token enumeration: The payload parsed ~/.npmrc, ~/.netrc, ~/.aws/credentials, ~/.config/gcloud/, ~/.azure/, and shell history files for credential strings.

2. Secret pattern matching: Used regex sweeps against environment variables for patterns consistent with AWS access keys (AKIA...), GitHub tokens (ghp_..., github_pat_...), and generic API key formats.

3. SSH key harvest: Iterated ~/.ssh/ for private key files (any file not ending in .pub).

4. Compression and exfiltration: Packaged the collected material into an encrypted archive and exfiltrated to a TeamPCP-controlled endpoint via HTTPS. This stood in contrast to Campaign 3, which used unencrypted transport.

5. VS Code extension vector: The companion VS Code extension provided a persistent foothold, re-executing the collection routine when VS Code was opened and on workspace events.

Why This Is Particularly Damaging

Security tools are trusted implicitly. An organization's CI/CD policy may mandate the use of KICS for IaC scanning — meaning the compromised image would be pulled and executed in automated pipelines with the broadest possible credential access. The attacker did not need to compromise the target directly; they compromised the scanner and let the target's own security process do the delivery.

Campaign 2 — CanisterSprawl: The Worm That Eats the Ecosystem

What Happened

Starting April 21, malicious versions of pgserve (v1.1.11–1.1.14), a PostgreSQL server wrapper for Node.js, appeared on npm. Researchers at Socket and StepSecurity identified the infection and tracked the propagation under the name CanisterSprawl.

The affected package list at disclosure:

pgserve (v1.1.11–1.1.14)
@automagik/genie (v4.260421.33–v4.260421.40)
@fairwords/loopback-connector-es (v1.4.3–1.4.4)
@fairwords/websocket (v1.0.38–1.0.39)
@openwebconcept/design-tokens (v1.0.1–1.0.3)
@openwebconcept/theme-owc (v1.0.1–1.0.3)

The Namastex.ai npm packages, investigated separately by Socket, were linked to the same core propagation logic and ICP canister C2 infrastructure.

The Self-Propagation Mechanism

This is what distinguishes CanisterSprawl from a standard credential stealer. The attack chain proceeds in three stages:

Stage 1 — Install-time execution: The compromised package includes a postinstall hook in package.json. This is a legitimate npm mechanism for running scripts after package installation. The hook executes a JavaScript file that is embedded in the package but named to blend in with legitimate package tooling.

Stage 2 — Credential harvest and token abuse: The script searches for an npm authentication token — typically stored in ~/.npmrc as //registry.npmjs.org/:_authToken=<token>. Once found, it uses the npm registry API to enumerate all packages the compromised token has publish rights to. For each discoverable package:

1. The script downloads the latest published version.

2. Injects the same malicious postinstall hook into the package.

3. Bumps the patch version (e.g., 1.4.3 → 1.4.4).

4. Publishes the modified version under the legitimate package name.

This means every downstream developer who runs npm install and pulls the newly bumped version becomes a new infection vector. The worm does not need access to the target's repository — only the victim's publish token.

Stage 3 — Ecosystem cross-jump: If a PyPI token is found in the environment alongside the npm token, CanisterSprawl pivots to PyPI. The cross-ecosystem jump uses a similar pattern: enumerate writable packages, inject, publish. This is the first confirmed npm-to-PyPI cross-ecosystem self-propagating worm observed in the wild.

The ICP Canister C2 Innovation

Standard malware C2 infrastructure — even bullet-proof hosting — can be taken down by law enforcement requests or infrastructure provider action. CanisterSprawl's exfiltration channel uses an Internet Computer Protocol (ICP) canister: a smart-contract-style computation unit on the Internet Computer blockchain. ICP canisters have no central hosting provider, no IP address to null-route, and no registrar to receive abuse complaints. Taking down the C2 requires either the canister owner to destroy it or a governance vote by the ICP network — neither of which happened in time to prevent the initial exfiltration wave.

This is the second observed use of ICP canisters for threat actor C2 infrastructure (the first was a prior TeamPCP campaign in March 2026), and it signals a deliberate shift toward blockchain-native C2 for persistence and takedown resistance.

The Asurion Red Team Wrinkle

A notable postscript: after Socket and The Hacker News published their analysis, Asurion (whose packages were among those affected) issued a statement claiming the kube-health-tools (npm) and kube-node-health (PyPI) packages, which use a Go-based binary to install a SOCKS5 proxy and SFTP server, were artifacts of an internal red team exercise that inadvertently reached public package registries. The original reporting was updated to reflect this claim. Whether this represents a legitimate red team engagement, a face-saving cover story, or a red team using the same ICP canister infrastructure as CanisterSprawl by coincidence remains unverified.

Campaign 3 — xinference: TeamPCP's Third PyPI Strike

What Happened

On April 22 — the same day as the KICS Docker Hub compromise — three consecutive releases of xinference on PyPI contained a credential-stealing payload. Xinference is a legitimate distributed AI inference framework with substantial download volume, making it a high-value target for injecting malicious versions.

Technical Analysis

The xinference payload diverged from prior TeamPCP campaigns in one notable way: it sent collected data as a plain tar.gz archive to the C2 endpoint, with no encryption. Prior campaigns (litellm, telnyx) used encrypted packaging.

The collection scope:

SSH keys (~/.ssh/id_*)
Cloud credential files (AWS, GCP, Azure)
Environment variables (the full os.environ dump)
Crypto wallet files (MetaMask, Exodus, and common browser-stored wallet data)

The unencrypted exfiltration led some researchers to suggest a copycat actor mimicking TeamPCP's injection pattern. Socket's analysis disagreed: the multi-version cadence (three consecutive releases in rapid succession, a hallmark of TeamPCP automation) and the injection location within the package were consistent with TeamPCP's established tradecraft. The encryption omission may reflect operational haste, a testing artifact pushed to production, or deliberate simplification.

The Fourth Vector: GitHub Actions and the `pull_request_target` Abuse

Alongside the three package-ecosystem campaigns, a fourth concurrent operation — campaign prt-scan — has been active since March 11, 2026, targeting GitHub Actions workflows. The attack abuses pull_request_target, a GitHub Actions trigger that runs in the context of the base repository (with access to repository secrets) even when triggered by a pull request from a fork.

Misconfigured workflows that use pull_request_target and then check out untrusted code from the PR can be exploited to execute arbitrary workflow steps with secret access. The prt-scan campaign automated scanning of public repositories for exploitable pull_request_target workflows and submitted crafted pull requests to trigger credential exfiltration. Success rate was below 10%, but across the scale of GitHub's repository graph, even a 5% rate against targeted organizations represents significant yield.

The Bitwarden CLI compromise (@bitwarden/cli v2026.4.0) independently demonstrated the CI/CD pipeline vector: attackers compromised a GitHub Actions workflow in Bitwarden's CI/CD pipeline to inject a malicious tarball (bw1.js) into the published npm package. This attack preserved Bitwarden's metadata precisely — version number, package.json contents, READMEs — while rewiring the installed binary to a credential-harvesting loader.

IOCs / Indicators

Malicious npm packages (CanisterSprawl):

pgserve versions 1.1.11–1.1.14
@automagik/genie versions 4.260421.33–4.260421.40
@fairwords/loopback-connector-es versions 1.4.3–1.4.4
@fairwords/websocket versions 1.0.38–1.0.39
@openwebconcept/design-tokens versions 1.0.1–1.0.3
@openwebconcept/theme-owc versions 1.0.1–1.0.3

Malicious PyPI packages:

xinference (three consecutive versions, April 22, 2026 — exact version numbers per Socket advisory)
Namastex.ai-linked packages (see Socket blog)

Malicious Docker images:

checkmarx/kics (official repository, April 22 tags — check Docker Hub pull timestamps)

Malicious npm package (Bitwarden/Shai-Hulud):

@bitwarden/cli version 2026.4.0

C2 infrastructure:

ICP canister addresses (see Socket CanisterSprawl advisory for specific canister IDs — not reproduced here to avoid amplification)

Behavioral indicators:

Unexpected postinstall script execution touching ~/.npmrc or ~/.ssh/
Outbound HTTPS to ICP .raw.ic0.app endpoints from build environments
New patch-version releases of packages shortly after npm install in CI pipelines
tar.gz archives created in /tmp/ during package installation
GitHub Actions runs triggered by pull_request_target from fork contributors

Lyrie Take

Three campaigns, three ecosystems, 48 hours, one purpose: credential extraction at pipeline velocity.

What is striking about the April 21–23 siege is not the novelty of any individual technique — postinstall hooks, trojanized Docker images, and CI/CD secret theft are all documented attack classes. What is new is the coordination density and the operational philosophy on display. These actors are not trying to compromise an organization's endpoint and then pivot to the network. They are targeting the credential surface that developers produce — the artifacts of their daily work — and harvesting it continuously, at scale, from thousands of projects simultaneously.

The ICP canister C2 is a meaningful evolution. Every prior C2 takedown has relied on centralized infrastructure that a regulator, registrar, or provider could disable. A blockchain-native C2 eliminates that lever entirely. This is not an academic concern — it is an operational capability shift that removes a primary incident response tool (C2 disruption) from defenders' playbooks.

From a Lyrie perspective, this attack surface is precisely where autonomous detection and response must operate. By the time a human analyst has detected anomalous exfiltration traffic from a build pipeline, the credentials are already in the attacker's canister. The detection window is measured in seconds — the time between npm install completing and the postinstall hook making its first outbound connection. Lyrie's machine-speed behavioral monitoring of build pipeline I/O, combined with cryptographic package integrity verification pre-install, is the only detection architecture that closes this window.

Human-speed security operations cannot defend a supply chain that attacks at machine speed.

Defender Playbook

Immediate actions:

1. Audit postinstall hooks: Run npm ls --parseable 2>/dev/null | xargs -I{} jq -r '.scripts.postinstall // empty' {}/package.json across your dependency tree. Any postinstall that touches the filesystem outside the package directory or spawns network connections is suspicious.

2. Rotate all credentials accessible from CI/CD environments: This is non-negotiable after any npm install of a package in the affected list. Treat every token, key, and credential as potentially harvested.

3. Pull Docker image digests, not tags: Tags are mutable. The checkmarx/kics compromise was tag-based. Pin to sha256 digests in CI/CD pipelines and verify against your last known-good digest before running.

4. Audit pull_request_target workflows: Search your organization's repositories for workflows using pull_request_target that include actions/checkout with ref: ${{ github.event.pull_request.head.sha }}. This pattern is the exploit primitive for the prt-scan campaign.

5. Enable npm package provenance verification: npm's provenance attestation (introduced in 2023) links published packages to their source repository and CI/CD run. Enable --provenance validation in your CI and reject packages without published attestations for your critical dependencies.

Medium-term controls:

6. Implement build-time network egress filtering: A postinstall hook that cannot reach the internet cannot exfiltrate. CI/CD runners should operate with egress limited to known-good registries and repositories.

7. Deploy SIEM rules for ICP canister traffic: Add .raw.ic0.app and .ic0.app to your DNS monitoring allowlists-as-blocklists (alert on unexpected traffic to ICP infrastructure from build systems).

8. Enforce npm token scoping: npm automation tokens should be scoped to read-only wherever possible. If a CI/CD pipeline only needs to install packages, it does not need publish rights. Restrict publish tokens to dedicated release pipelines with explicit human approval gates.

9. Consider a software composition analysis (SCA) tool with behavioral analysis: Static dependency scanning catches known-bad packages but misses novel injections in the same window. Behavioral analysis of what packages do at install time catches CanisterSprawl-style attacks before credentials are harvested.

10. Monitor for unexpected patch-version bumps: If your package-lock.json shows a patch version change on a package that was not explicitly updated in a PR, treat it as a potential indicator of CanisterSprawl propagation from an upstream developer's compromised environment.

Sources

1. GitGuardian Blog — "No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours" (April 23, 2026): https://blog.gitguardian.com/three-supply-chain-campaigns-hit-npm-pypi-and-docker-hub-in-48-hours/

2. Socket Security — "Namastex.ai npm Packages Hit with TeamPCP-Style CanisterWorm" (April 2026): https://socket.dev/blog/namastex-npm-packages-compromised-canisterworm

3. The Hacker News — "Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens" (April 24, 2026): https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html

4. Endor Labs — "Shai-Hulud: The Third Coming — Inside the Bitwarden CLI 2026.4.0 Supply Chain Attack": https://www.endorlabs.com/learn/shai-hulud-the-third-coming----inside-the-bitwarden-cli-2026-4-0-supply-chain-attack

5. OX Security — "Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign" (April 23, 2026): https://www.ox.security/blog/shai-hulud-bitwarden-cli-supply-chain-attack/

6. Security Boulevard — "GitHub Actions Supply Chain Attack: Trivy Breach & Workflow" (April 2026): https://securityboulevard.com/2026/04/github-actions-supply-chain-attack-trivy-breach-workflow/

7. Rankiteo Blog — "Asurion, npm and GitHub: Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens" (April 22, 2026): https://blog.rankiteo.com/gitnpmasu1776918263-asurion-npm-github-cyber-attack-april-2026/

8. Vercel — "Vercel April 2026 Security Incident" (April 2026): https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

Lyrie.ai Cyber Research Division — Senior Analyst Desk