Cisco, SD-WAN, Vulnerability, Active Exploitation, CISA KEV, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133
Source Material: GitGuardian | Technology: Checkmarx KICS, Docker, VS Code, npm, PyPI, Bitwarden CLI | Targeted Industries: Opportunistic / Broadly Targeted
Executive Summary
This advisory serves as a critical update to CA-A-26-005, expanding on the scope and advanced capabilities of TeamPCP’s latest supply chain campaign. Between April 21 and April 23, 2026, TeamPCP initiated a massive, coordinated attack against developer environments. What initially appeared as isolated compromises of Checkmarx KICS Docker images and OpenVSX extensions has rapidly evolved into a multi-ecosystem assault. The threat group simultaneously compromised packages across the npm and PyPI ecosystems, distributing a highly advanced, self-propagating variant of the TeamPCPCloudStealer malware.
This marks TeamPCP’s second major supply chain compromise in less than a month, highlighting their aggressive focus on harvesting cloud secrets, source code management tokens, and developer credentials.
Threat Overview and Strategic Impact
TeamPCP’s latest campaign goes far beyond simple credential theft. They are actively utilizing a “worm-like” propagation model across multiple distinct delivery mechanisms:
- Compromised KICS Docker Images: The attackers overwrote existing image tags (including v2.1.20, alpine, debian, and latest) in the official Checkmarx KICS Docker Hub repository with a trojanized version of the security scanner. This modified Go binary retains legitimate functionality but quietly compresses, encrypts (via AES-256-GCM), and exfiltrates infrastructure-as-code (IaC) scan reports directly to an actor-controlled server masquerading as legitimate infrastructure (audit.checkmarx[.]cx).
- Compromised VS Code Extensions: The OpenVSX extensions ast-results (versions 2.63.0, 2.66.0) and cx-dev-assist (versions 1.17.0, 1.19.0) were injected with malicious code. The payload actively checks for—and silently installs if missing—the Bun JavaScript runtime to execute a new variant of TeamPCPCloudStealer.
- Broader Ecosystem Poisoning (npm & PyPI): TeamPCP successfully compromised the @bitwarden/[email protected] npm package via a poisoned GitHub Action, placing countless developer vaults at risk. Simultaneously, they infected the pgserve npm package and xinference on PyPI, expanding their net to target crypto-wallet data (MetaMask, Phantom, Solana) alongside standard developer secrets.
TeamPCPCloudStealer Capabilities & Auto-Propagation: The stealer aggressively targets cloud provider credentials (AWS, Azure Key Vault, GCP), GitHub/npm/PyPI tokens, SSH keys, and environment variables. Critically, it leverages stolen tokens to dynamically inject itself into any packages the victim has write access to, repackaging and publishing infected updates to further the compromise (often tracked as the “CanisterSprawl” worm). It also uploads malicious GitHub Action workflow files into accessible repositories to dump pipeline secrets into a file named format-results.txt on future code pushes.
If its primary command-and-control (C2) server goes down, the malware dynamically queries public GitHub commits for specific keywords (beautifulcastle or LongLiveTheResistanceAgainstMachines) to retrieve backup exfiltration URLs.
Strategic Impact: The impact of this campaign is severe. Because tools like KICS and Bitwarden CLI sit directly in the path of highly privileged credentials, compromising them grants threat actors the keys to enterprise cloud environments and software supply chains. The malware’s ability to self-propagate using stolen developer tokens means that a single infected workstation can rapidly poison an organization’s entire outward-facing software portfolio.
Security Hardening and Recommendations
Organizations that utilize Checkmarx KICS, the affected VS Code extensions, or any of the compromised npm/PyPI packages must treat their environments as actively breached and immediately execute the following steps:
- Initiate Comprehensive Credential Rotation: You must treat all accessible credentials on affected hosts as compromised. Immediately rotate AWS, Azure, GCP, npm, PyPI, and GitHub tokens, along with SSH keys and local cryptocurrency wallets.
- Deprecate Bitwarden CLI v2026.4.0: Verify your Bitwarden CLI versions immediately. Treat any execution of version 2026.4.0 as a host-level credential exposure event and rotate vault access accordingly.
- Implement Strict Digest Pinning: Stop relying on mutable Docker tags (e.g., latest or v2.1.20). Pin all Docker images and GitHub Actions strictly to their cryptographic SHAs to ensure you are pulling immutable, verified code into your pipelines.
- Audit CI/CD Environments for Dropped Artifacts: Search developer workstations and CI/CD runners for the compromised tools, specifically hunting for unauthorized artifacts like bw_setup.js, bw1.js, and the bun binary. Remove the compromised OpenVSX extensions (ast-results and cx-dev-assist).
- Restrict Network Access: Limit outbound network connectivity from your CI/CD build environments to only known-good, required endpoints to effectively kill data exfiltration attempts.
Detection Strategy
To effectively detect this threat, security teams must focus on the artifacts generated during exfiltration and propagation. Analysts should prioritize auditing outbound network traffic for connections to the masqueraded Checkmarx telemetry domain (audit.checkmarx[.]cx) and unexpected queries to the GitHub Search API (utilized as dead-drop resolvers).
On the endpoint, the unexpected execution of the Bun runtime—especially if spawned from a VS Code extension directory—is a critical indicator of TeamPCPCloudStealer activity. Furthermore, organizations must audit accessible GitHub repositories for unauthorized workflow files or branches attempting to serialize pipeline secrets into artifacts such as format-results.txt
How Deepwatch Protects Our Customers
Deepwatch Guardians actively monitor customer environments for network and endpoint telemetry associated with TeamPCP’s latest supply chain campaign. This includes monitoring for known command-and-control (C2) domains, evaluating endpoint execution logs for suspicious installations of the Bun JavaScript runtime, and hunting for the known file hashes and file paths associated with the trojanized KICS executable and the mcpAddon.js payload.
Threat Hunting Leads
- Suspicious Network Traffic: Hunt for outbound HTTP POST requests directed to https[:]//audit.checkmarx[.]cx/v1/telemetry or v2/telemetry, particularly those utilizing the user-agent string KICS-Telemetry/2.0.
- Dead-Drop Resolver Queries: Review network logs for outbound queries to the GitHub Search API containing the specific strings beautifulcastle or LongLiveTheResistanceAgainstMachines (e.g., api.github[.]com/search/commits?q=beautifulcastle).
- Bun Runtime Execution: Hunt for the unexpected download, installation, or execution of the Bun JS runtime (bun or bun.exe). Pay special attention to executions initiating from developer directories, or installations residing at ~/.bun/bin/bun (Linux/macOS) or %USERPROFILE%\bin\bun.exe (Windows).
- Malicious Script Execution & Dropped Artifacts: Review endpoint telemetry for script executions or file creations associated with the TeamPCPCloudStealer payload. Look for .checkmarx/mcp/mcpAddon.js, as well as artifacts tied to the npm compromises like bw_setup.js and bw1.js.
- Malicious GitHub Actions: Audit accessible GitHub repositories for unexpected workflow files or branches—specifically hunting for workflows that dump secrets into format-results.txt.
Technical Artifacts
| Indicator Type | Value | Description |
| Domain | checkmarx[.]cx | Spoofed primary domain used in the campaign. |
| Domain | audit.checkmarx[.]cx | Primary C2 domain used for exfiltrating stolen secrets via a masqueraded telemetry endpoint. |
| URL | https[:]//api.github[.]com/search/commits?q=beautifulcastle&sort=author-date&order=desc | Fallback dead-drop resolver query used to dynamically retrieve C2 infrastructure from GitHub commits. |
| SHA256 | 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50 | Trojanized KICS Golang ELF executable deployed via compromised Docker images. |
| SHA256 | 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 | JavaScript payload (mcpAddon.js) containing the updated TeamPCPCloudStealer code. |
| File Path | ~/.checkmarx/mcp/mcpAddon.js (Linux/Mac) %USERPROFILE%\.checkmarx\mcp\mcpAddon.js (Windows) | Target local path where the compromised VS Code extensions drop the malicious JS payload. |
| File Path | ~/.bun/bin/bun (Linux/Mac) %USERPROFILE%\bin\bun.exe (Windows) | Default installation paths for the Bun JS runtime utilized by the payload. |
| File Name | bw_setup.js, bw1.js, format-results.txt | Dropped artifacts associated with the npm compromises and malicious GitHub Actions secret dumping. |
Threat Object Mapping
Intrusion Set:
- TeamPCP
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Resource Development | Compromise Infrastructure: Web Services | T1584.006 | TeamPCP leverages victim npm and GitHub accounts to publish further malicious artifacts and propagate the infection. |
| Initial Access | Supply Chain Compromise: Compromise Software Supply Chain | T1195.002 | Attackers compromised official Docker Hub images (checkmarx/kics) and OpenVSX extensions (ast-results, cx-dev-assist). |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | The payload downloads and utilizes the legitimate Bun JavaScript runtime (bun or bun.exe) to execute the stealer script. |
| Defense Evasion | Obfuscated Files or Information | T1027 | The JavaScript payloads (mcpAddon.js) are heavily obfuscated to deter reverse engineering and detection. |
| Credential Access | Unsecured Credentials: Credentials In Files | T1552.001 | The malware targets secrets stored in environment variables, .npmrc files, SSH configurations, and AWS secret manager files. |
| Credential Access | Unsecured Credentials: Container API | T1552.007 | The modified KICS binary abuses its legitimate access to container and IaC environments to extract sensitive tokens. |
| Discovery | System Network Configuration Discovery | T1016 | The stealer gathers and exfiltrates local network configuration details from the compromised host. |
| Discovery | System Owner/User Discovery | T1033 | TeamPCPCloudStealer collects system user information and shell histories (bash, zsh). |
| Discovery | Container and Resource Discovery | T1613 | The malware identifies cloud resources from providers such as Google Cloud Platform (GCP) and Azure. |
| Collection | Data from Cloud Storage | T1530 | The stealer specifically targets and collects data stored within cloud infrastructure (e.g., Azure Key Vault). |
| Collection | Archive Collected Data: Archive via Utility | T1560.001 | The trojanized KICS binary compresses the harvested scan results into a .tar archive prior to encryption. |
| Command and Control | Fallback Channels | T1008 | The malware implements fallback mechanisms to retrieve active C2 domains if the primary telemetry domain is offline. |
| Command and Control | Web Service: Dead Drop Resolver | T1102.001 | The payload queries the GitHub Search API for the keyword beautifulcastle to dynamically find commits hosting fallback C2 URLs. |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | Exfiltration and C2 communications occur over standard HTTP/HTTPS POST requests. |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Stolen data is encrypted using an embedded RSA or AES-256-GCM key and exfiltrated to the attacker’s C2 server. |
Vulnerabilities:
- This campaign does not rely on the exploitation of specific CVEs for initial access. Instead, it relies on Software Supply Chain Compromise. Threat actors successfully gained unauthorized access to Checkmarx’s distribution channels (Docker Hub and OpenVSX registry), as well as npm and PyPI package maintainer accounts, to replace legitimate developer tools with trojanized versions.
Malware/Tool:
- TeamPCPCloudStealer: A custom information stealer written in JavaScript designed to harvest cloud provider secrets, source code management tokens (GitHub), CI/CD pipeline variables, and developer credentials. It includes advanced worm-like propagation capabilities using stolen npm tokens to dynamically infect other packages (associated with CanisterSprawl).
- Trojanized KICS Binary: A modified version of the legitimate Checkmarx KICS (Keeping Infrastructure as Code Secure) Golang executable. It retains normal scanning functions but silently intercepts, compresses, encrypts, and exfiltrates the scan reports to an attacker C2.
- Bun: A legitimate, open-source JavaScript runtime environment. The attackers utilize a script (bunInstaller.js) to silently download and install Bun on the victim’s machine to execute the TeamPCPCloudStealer payload without relying on the host’s existing Node.js environment.
Additional Sources
- Cybernews: Checkmarx suffers second supply chain attack
- CrowdStrike Falcon: CSA-260560 TeamPCP Compromises Checkmarx KICS Docker Images and VS Code Extensions, Distributes Updated TeamPCPCloudStealer
Share