TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)
Summary
The TeamPCP supply chain campaign has resumed after a 26-day pause, with threat actors compromising Checkmarx KICS, Bitwarden CLI, and xinference PyPI. Concurrently, a new npm worm called CanisterSprawl has been identified. This update follows previous compromises involving Cisco source code theft and the ongoing activity of credential stealer SANDCLOCK.
IFF Assessment
The resurgence of the TeamPCP campaign with new compromises indicates an ongoing and evolving threat to software supply chains and developer tools, directly impacting defenders.
Severity
CISA KEV: Listed as actively exploited. Federal patch due: April 09, 2026. Known ransomware use: Unknown.
Defender Context
Defenders need to be vigilant about supply chain attacks that target widely used development tools and platforms like PyPI and npm. The identification of new malware like the CanisterSprawl worm and the continued activity of sophisticated threat groups like TeamPCP (UNC6780) necessitate robust monitoring and defense-in-depth strategies.