No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours

After a few quieter weeks, three supply chain attacks put secrets back in the spotlight.

Between April 21 and 23, 2026, three distinct attacks hit npm, PyPI, and Docker Hub simultaneously. Their targets differ and the threat actor groups might, but their objectives don't: in each case, the malware's primary goal was to steal secrets from developer environments and CI/CD pipelines. API keys, cloud credentials, SSH keys, and registry tokens were all targeted.

Campaign 1 - Checkmarx KICS: Compromised Security Scanner Turns on Its Users

The first attack compromised official Checkmarx KICS Docker images and VS Code extensions. Docker flagged suspicious activity on the checkmarx/kics repository on April 22 and alerted Socket. An obfuscated payload harvested GitHub authentication tokens, AWS credentials, Azure and Google Cloud tokens, npm configuration files, SSH keys, and environment variables, compressing and encrypting everything before exfiltration. The payload swept up any API keys stored in environment variables.

TeamPCP likely orchestrated the attack, based on posts they published on X immediately after disclosure. This would be the group's second Checkmarx attack in two months.

Campaign 2 - CanisterSprawl: A Worm That Turns Developer Machines into Launchpads

On April 21, malicious versions of pgserve, a PostgreSQL server for Node.js, appeared on npm. The compromised versions inject a credential-harvesting script that runs via a postinstall hook on every npm install. It searches for npm publish tokens, and for each package the victim can publish, it bumps the patch version, injects itself, and publishes them to npm. If a PyPI token is also found, the worm jumps ecosystems entirely.

Socket and StepSecurity track this as CanisterSprawl, named after its use of an Internet Computer Protocol (ICP) canister as a resilient, decentralized C2 channel. Socket's follow-up investigation linked compromised Namastex.ai npm packages to the same core methods: install-time execution, credential theft, off-host exfiltration to canister-backed infrastructure, and self-propagation logic.

Campaign 3 - xinference: TeamPCP Returns to PyPI

On April 22, three consecutive releases of xinference on PyPI carried a credential-stealing payload. The malware decodes a second-stage collector, harvests SSH keys, cloud credentials, environment variables, and crypto wallets. StepSecurity attributes this to TeamPCP, the same group behind the litellm and telnyx PyPI compromises in March.

There is one notable technical difference from prior TeamPCP campaigns: the xinference payload sends a plain tar.gz directly to the C2 server. The lack of encryption is why some researchers have suggested a copycat, though the injection pattern and multi-version cadence remain consistent with TeamPCP's established tradecraft.

The Common Thread

Three campaigns, three ecosystems, one objective. None of these attacks aimed to disrupt software delivery or corrupting build outputs. Every payload, from the CanisterSprawl worm to the trojanized KICS scanner to the xinference stealer, was engineered to do one thing: extract credentials from the environments where developers and pipelines operate. The question every affected team should be asking right now isn't just "did this package run in my environment?" It's: what secrets were accessible if it did, and have they been rotated?

Answering that requires knowing where your secrets live: across repositories, CI configurations, environment variables, and developer machines. GitGuardian provides continuous detection of exposed secrets across every surface attackers target, repositories, CI configs, environment variables, and developer machines, so when the next compromised package runs in your pipeline, you're not starting from zero.