💻 AppSec

TeamPCP Supply Chain Campaign Expands to npm and Docker Hub — Bitwarden CLI and Checkmarx KICS Both Backdoored

The TeamPCP supply chain threat group has extended its campaign beyond GitHub Actions and PyPI to poison the @bitwarden/cli npm package and overwrite Checkmarx KICS Docker images and VS Code extensions. The campaign now spans four developer distribution channels across six weeks, deploying a self-propagating worm that exfiltrates SSH keys, cloud credentials, and MCP configuration files from compromised developer environments.

4 min read
#supply-chain#npm#docker#vscode#bitwarden#checkmarx#teampcp#credential-theft

The threat group designated TeamPCP has dramatically expanded the scope of its developer supply chain campaign. On April 22, 2026, two simultaneous attacks were executed: the @bitwarden/cli npm package was poisoned for approximately 90 minutes via compromised Checkmarx CI/CD infrastructure, and five Checkmarx KICS Docker Hub tags were overwritten with backdoored images alongside two VS Code extensions.

This follows the group’s earlier campaigns against Trivy’s GitHub Action tag infrastructure in March and LiteLLM’s PyPI package in late March. TeamPCP has now successfully compromised or poisoned assets in four distinct developer distribution channels: GitHub Actions, PyPI, npm, and Docker Hub plus the VS Code Marketplace.

The npm Vector: Bitwarden CLI Poisoned via CI/CD Credentials

The @bitwarden/cli package — Bitwarden’s official command-line interface with approximately 78,000 weekly downloads — was poisoned at version 2026.4.0. TeamPCP obtained Checkmarx’s npm publisher credentials, which were used in the Checkmarx CI/CD pipeline to automate package publishing. Using these credentials, the attackers published a malicious version that embedded a self-propagating worm component.

The worm exfiltrates:

  • SSH private keys from ~/.ssh/
  • GitHub personal access tokens and npm authentication tokens from .npmrc and npm configuration
  • Cloud provider credential files (AWS ~/.aws/credentials, Azure and GCP equivalents)
  • MCP (Model Context Protocol) configuration files, which may contain API keys for AI services and tools
  • CI/CD environment variables from the current execution context

The self-propagating characteristic is particularly significant: the worm scans for additional package manager configurations in the compromised environment and can inject itself into subsequent publish operations, potentially spreading to other packages maintained by the same CI/CD infrastructure.

The poisoned version was available for approximately 90 minutes before Bitwarden identified and removed it. Any developer or CI/CD pipeline that executed npm install @bitwarden/cli during that window should be treated as compromised.

The Docker Hub and VS Code Vector: Checkmarx KICS

Simultaneously, TeamPCP overwrote five KICS (Keeping Infrastructure as Code Secure) Docker Hub tags and published two new malicious tags. KICS is Checkmarx’s open-source IaC security scanner used to analyse Terraform, CloudFormation, Kubernetes, and Ansible manifests for misconfigurations. DevSecOps teams commonly integrate it into CI/CD pipelines via Docker.

The backdoored KICS images exfiltrate to an attacker-controlled HTTPS endpoint that mimics the format of legitimate Checkmarx telemetry — a deliberate obfuscation designed to survive casual network traffic review.

Additionally, two VS Code extensions were backdoored: Checkmarx Developer Assist and Checkmarx AST-Results. These extensions, used by security engineers working with Checkmarx’s SAST/SCA platform, now exfiltrate IDE-accessible credentials and environment context.

The Pattern: Distribution Channels as the Attack Surface

The campaign’s progression is instructive for how security teams should categorise the threat:

  • March: GitHub Actions infrastructure compromised → all users of the Trivy action on any tag exposed
  • March/April: PyPI publisher credentials compromised → LiteLLM package poisoned
  • April 22: npm publisher credentials via CI/CD pivot → Bitwarden CLI package poisoned
  • April 22: Docker Hub credentials → KICS images overwritten; VS Code Marketplace credentials → two extensions backdoored

Each vector uses the same fundamental mechanism: compromise the credential that authorises publishing to the distribution channel, then publish a poisoned version to existing packages with established trust. The attack lands not in the code repository, where security controls like code review and SAST operate, but in the package registry — after the code has passed all checks and before it reaches the developer or CI/CD pipeline.

  • Audit npm environments: Check for @bitwarden/cli@2026.4.0 installed in any developer machine, CI/CD pipeline, or Docker image. If found, treat the environment as compromised and rotate all credentials accessible from that context.
  • Rotate credentials if exposed: Any SSH keys, GitHub tokens, npm tokens, or cloud provider credentials accessible from environments where the poisoned package was installed should be considered compromised and rotated immediately.
  • Audit KICS Docker usage: Identify all CI/CD pipelines and developer workflows using checkmarx/kics Docker images. Pull fresh official images from Checkmarx’s verified repository; verify image digests before use.
  • Disable Checkmarx VS Code extensions: Uninstall Checkmarx Developer Assist and Checkmarx AST-Results pending a clean advisory from Checkmarx. Monitor for re-emergence of malicious version tags.
  • Implement publisher credential hygiene: For teams that publish packages, enforce MFA on all package registry accounts (npm, PyPI, Docker Hub), use short-lived publish tokens scoped to single packages, and audit which CI/CD services hold publish credentials.
  • Add package digest pinning: In CI/CD pipelines, pin Docker images by digest (checkmarx/kics@sha256:...) rather than tag; pin npm packages to specific versions with integrity checks in package-lock.json. This prevents retroactive tag or version overwriting from reaching your pipelines.

Share this article