TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)

This weekly intelligence update details a sharp return to active supply-chain operations by the TeamPCP campaign during April 20–26, 2026: three concurrent compromises were observed across Docker Hub (trojanized Checkmarx KICS images), PyPI (xinference packages with credential-stealing payloads), and npm (a self-propagating CanisterSprawl worm), with attacker exfiltration of CI/CD and developer credentials and a cascading downstream compromise of Bitwarden’s CLI via Dependabot; analysts assess the operators retain full capability, note Tier 1 media coverage and vendor analyses, and list detection and watch items including attribution uncertainty for xinference, Dependabot-driven cascade risk, and potential further cross-ecosystem jumps.