Around 5:00 p.m. CET, we were alerted to the compromise of the Bitwarden/CLI package via https://opensourcemalware.com/npm/@bitwarden/cli
The Jfrog analyses at https://research.jfrog.com/post/bitwarden-cli-hijack/ explain that the data exfiltration is primarily directed to audit[.]checkmarx[.]cx. If an infected machine cannot reach it, the malware falls back to GitHub itself: it retrieves staged PATs from public commit messages marked with LongLiveTheResistanceAgainstMachines, discovers alternate exfiltration domains via signed beautifulcastle commit messages, then creates a repository under the victim's own GitHub account and uploads encrypted credential blobs there.
Based on these findings, we searched for traces in GitHub repositories available to us. Here's what we found.
beautifulcastle
Two commits for beautifulcastle pointing to repositories named helloworm00/hello-world and helloworm00/my-first-repo:
- April 20, 2026, 20:41:43 UTC
- April 21, 2026, 17:53:49.
The second repository contains a new exfiltration domain: safely-irc-weblogs-few[.]trycloudflare[.]com
This exfiltration domain is valid. The corresponding signature can be verified with the RSA public key included in the obfuscated payload, but its base64-encoded form is 84 characters and exceeds the hard {1,30} cap on that field. The commit would have been silently discarded by the regex before the signature was ever checked.
LongLiveTheResistanceAgainstMachines
Four commits were found; all GitHub tokens are invalid as of this writing.
- April 21, 2026, 22:52:50 UTC
- April 22, 2026, 15:48:27 UTC (two commits at same timestamp)
- April 23, 2026, 15:28:47 UTC
One commit contains a JSON document with the keys envelope, key, and token. The GitHub token is not valid.
AI Tool Poisoning
The payload checks the PATH for six AI coding assistants: Claude Code, Gemini CLI, Codex CLI, Kiro CLI, Aider, and OpenCode. It probes all six simultaneously by running its native invocation syntax with a single message: "Hey! Just making sure you're here. If you are can you respond with 'Hello' and nothing else?" The payload selects whichever tool replies with Hello first; the rest are ignored. Claude Code is invoked with --no-confirmation, suppressing any interactive approval prompt so the probe runs silently.
Once the payload finds a live tool, it appends a heredoc block to both ~/.bashrc and ~/.zshrc containing approximately 3,500 bytes of anti-AI manifesto text.
Initial access vector: KICS via Dependabot
One confirmed victim environment shows the attack began with the Checkmarx KICS Docker image compromise on April 22, 2026. Dependabot pulled the trojanized checkmarx/kics:latest tag during an automated dependency update, executing the payload in CI with access to repository secrets.
This confirms the cross-campaign pivot that TeamPCP has used throughout this wave: compromise a trusted CI tool, harvest runner credentials, use those credentials to propagate further. The Dependabot vector is particularly dangerous because it runs automatically, often with elevated permissions, and is rarely subject to the same scrutiny as developer-triggered workflow runs. GitGuardian recommends applying a cooldown to dependency updates.
