al-ice.ai

TeamPCP — Checkmarx KICS Docker and Bitwarden CLI Compromised in Escalating Supply Chain Campaign

Security by al-ice.ai Editorial

AI relevance: AI engineering teams widely use Checkmarx KICS for IaC scanning in CI/CD pipelines that deploy AI infrastructure, and Bitwarden CLI is a common secret-management tool in AI agent deployment workflows — both are now confirmed compromised.

Between April 21–23, 2026, the threat group TeamPCP executed three coordinated supply chain campaigns across Docker Hub, npm, and PyPI simultaneously. This marks the group's second Checkmarx compromise in two months and represents a significant escalation in scope and sophistication.

What Happened

  • Checkmarx KICS Docker images compromised (April 22). Official checkmarx/kics Docker Hub images and VS Code extensions were hijacked. An obfuscated payload harvested GitHub tokens, AWS/Azure/GCP credentials, npm configs, SSH keys, and environment variables — compressing and encrypting everything before exfiltration. Docker flagged the suspicious activity and alerted Socket.
  • Bitwarden CLI poisoned via compromised GitHub Action (April 22). Version @bitwarden/cli@2026.4.0 was briefly distributed through npm (5:57–7:30 PM ET). The attack leveraged a compromised GitHub Action in Bitwarden's CI/CD pipeline, consistent with the same GitHub Actions supply chain vector used in the broader Checkmarx campaign. Bitwarden's Chrome extension, MCP server, and other distributions were not affected.
  • xinference PyPI compromise (April 22). Three consecutive releases of xinference on PyPI carried a credential-stealing payload. The malware decodes a second-stage collector that harvests SSH keys, cloud credentials, environment variables, and crypto wallets. The payload sends data as plain tar.gz directly to the C2 server — a departure from TeamPCP's prior encrypted exfil, suggesting either a copycat or operational sloppiness.
  • CVE-2026-33634 (CVSS 9.4) covers the Checkmarx GitHub Actions compromise. Affected components include ast-github-action, kics-github-action, and OpenVSX extensions ast-results v2.53.0 and cx-dev-assist v1.7.0.
  • TeamPCP claimed the attacks on X immediately after disclosure via @pcpcats.
  • GitGuardian's analysis found damage spread to thousands of public targets across the ecosystem.

Why It Matters

  • This is a pattern: TeamPCP first hit LiteLLM, then Trivy, then Checkmarx (March), and now Checkmarx again + Bitwarden + xinference (April). The group is systematically targeting the developer toolchain.
  • The attack vector is consistent: compromise GitHub Actions → poison build artifacts → steal credentials from CI/CD environments → use stolen tokens for lateral movement and further supply chain attacks.
  • Every payload in this campaign was engineered for credential extraction, not software corruption. The attackers want access, not disruption.
  • AI/ML teams are disproportionately affected because they tend to use these exact tools (KICS for IaC, Bitwarden for secrets, xinference for model serving) in automated pipelines with elevated permissions.

What to Do

  • If you used Checkmarx KICS Docker images, GitHub Actions, or OpenVSX extensions around April 22 — rotate all secrets accessible to those environments immediately.
  • If you installed @bitwarden/cli@2026.4.0 — rotate any credentials that CLI had access to and review your CI logs.
  • If you installed xinference from PyPI around April 22 — rotate cloud credentials, SSH keys, and crypto wallets on affected machines.
  • Audit all GitHub Actions workflows for unauthorized modifications, especially those using pull_request_target triggers.
  • Pin dependency versions and enable provenance verification to reduce exposure to future supply chain compromises.

Sources