GitGuardian — Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours
AI relevance: All three campaigns specifically targeted AI pipeline credentials — LLM API keys, cloud ML service tokens, and developer environment secrets used to configure AI tooling in CI/CD and agent deployments.
What happened
GitGuardian documented three separate supply chain attacks across npm, PyPI, and Docker Hub within a 48-hour window (April 21–23, 2026). Each campaign had different targets and likely different operators, but shared the same objective: steal secrets from developer environments and CI/CD pipelines.
Campaign 1: Checkmarx KICS — Compromised Security Scanner
- Official Checkmarx KICS Docker images and VS Code extensions were compromised on April 22.
- An obfuscated payload harvested GitHub tokens, AWS/Azure/GCP credentials, npm configs, SSH keys, and environment variables, compressing and encrypting everything before exfiltration.
- Attributed to TeamPCP — the group behind the March LiteLLM and Telnyx PyPI compromises.
- This marks TeamPCP's second Checkmarx-related attack in two months.
Campaign 2: CanisterSprawl — Self-Propagating npm Worm
- Malicious versions of
pgserve(PostgreSQL server for Node.js) appeared on npm on April 21. - A postinstall hook injects a credential-harvesting script on every
npm install. - Self-propagation logic: finds npm publish tokens the victim owns, bumps the patch version, injects the payload, and republishes — turning one compromised machine into additional package compromises.
- Cross-ecosystem jump: if a PyPI token is found, the worm generates a Python
.pth-based payload and uploads malicious packages via Twine. - Uses Internet Computer Protocol (ICP) canisters as resilient, decentralized C2 infrastructure (tracked by Socket and StepSecurity as CanisterSprawl).
- Follow-up investigation linked compromised Namastex.ai npm packages to the same campaign.
Campaign 3: Xinference — TeamPCP Returns to PyPI
- Three consecutive releases of
xinference(an AI/ML inference framework) on PyPI carried a credential-stealing payload on April 22. - The malware decodes a second-stage collector that harvests SSH keys, cloud credentials, environment variables, and crypto wallets.
- Technical difference from prior TeamPCP campaigns: the payload sends plain tar.gz directly to C2 without encryption, leading some researchers to suspect a copycat.
- The injection pattern and multi-version cadence remain consistent with TeamPCP's established tradecraft.
Why it matters
- Three ecosystems hit in 48 hours demonstrates that supply chain attacks are no longer isolated incidents — they're operating at campaign velocity.
- The CanisterSprawl worm's cross-ecosystem propagation (npm → PyPI via Twine) shows attackers are building automated tools to jump between package registries.
- ICP canisters as C2 infrastructure represent a novel persistence mechanism — decentralized and harder to take down than traditional C2 servers.
- None of these attacks aimed to corrupt software delivery; they were pure credential harvesting operations designed to harvest LLM keys, cloud tokens, and service credentials for follow-on access.
- TeamPCP's continued targeting of AI-adjacent packages (LiteLLM, xinference, Checkmarx KICS) signals that AI infrastructure is a persistent priority for this threat actor.
What to do
- Audit your
package.jsonandrequirements.txtfor any of the affected packages; check install timestamps around April 21–23. - Rotate all developer environment credentials — especially npm publish tokens, PyPI API keys, and cloud service credentials stored in
.envfiles. - Enable package registry signing and pin dependency versions with lockfiles; consider using private mirrors with vulnerability scanning.
- Monitor for ICP canister-based C2 indicators in your threat intelligence feeds — this infrastructure pattern may appear in future campaigns.
- Restrict CI/CD pipeline permissions to least-privilege; compromise of a single developer machine should not cascade to production credential access.