Byte DiverSoftware supply chain attacks in 2026 are no longer isolated incidents — they are coordinated, cross-ecosystem campaigns that weaponize the very tools developers trust most. In 48 hours during the third week of April, npm, PyPI, and Docker Hub were all compromised simultaneously. The targets? A password manager (Bitwarden), a security scanner (Checkmarx), and a deployment platform (Vercel). When your security tools become attack vectors, the entire trust model of modern software development breaks down.
Key Takeaways
- Checkmarx’s TeamPCP campaign hit 5 vectors simultaneously — GitHub Actions, Docker Hub, VS Code, npm, and CI credentials — all sharing one C2 domain.
- CanisterSprawl is the first fully self-propagating npm worm, using ICP blockchain for takedown-resistant C2 and jumping to PyPI cross-ecosystem.
- Monthly supply chain attacks tripled from 13 to 41 incidents, with open-source malware up 73% year-over-year.
The 48-Hour Blitz: Three Registries, One Week
The third week of April 2026 will be remembered as a watershed moment in software supply chain security. Between April 21 and April 23, three separate but related campaigns hit npm, PyPI, and Docker Hub in rapid succession (GitGuardian).
This was not a coincidence. The campaigns shared tactical DNA — credential harvesting scripts, CI/CD pipeline targeting, and a focus on developer tokens that could enable further propagation.
Monthly software supply chain attack incidents have tripled: from 13 in 2024 to 28 in mid-2025 to 41 by late 2025 (ReversingLabs). Open-source platform malware surged 73% year-over-year (Sonatype).
Group-IB classified supply chain attacks as the top global cyber threat for 2026 (Group-IB).
The pattern is unmistakable: attackers are no longer writing malware from scratch. They are hijacking the tools and pipelines developers already trust.
The Checkmarx Campaign: One Group, Five Vectors
FIG-01
The Checkmarx Campaign: From One Stolen Credential to Five Attack Vectors
MAR 23
Trivy CI Credentials Stolen
TeamPCP steals CI credentials from Trivy infrastructure, gaining initial access to Checkmarx build systems.
APR 20-22
GitHub Actions + Docker Hub Poisoned
ast-github-action, kics-github-action compromised. Docker Hub KICS images v2.1.20, alpine, v2.1.21 trojanized.
APR 22
VS Code Extensions Trojaned
ast-results 2.53.0 and cx-dev-assist 1.7.0 modified to include credential-harvesting payload.
APR 22
Bitwarden CLI npm Hijacked
@bitwarden/[email protected] injected with bw1.js — 93 minutes of exposure, ~40 credential types targeted.
APR 27
Dark Web Data Confirmed
Checkmarx confirms GitHub repository data posted on dark web. All 5 vectors share C2: checkmarx[.]zone.
SOURCE: IBVL, Sophos, The Hacker News (April 2026)
The TeamPCP campaign against Checkmarx is arguably the most sophisticated supply chain attack ever documented. A single threat group simultaneously compromised five distinct attack vectors — an unprecedented breadth of coordination (IBVL).
It started with stolen Trivy CI credentials. From that single point of entry, TeamPCP compromised Checkmarx GitHub Actions (ast-github-action, kics-github-action), Docker Hub KICS images (v2.1.20, alpine, v2.1.21), VS Code extensions (ast-results 2.53.0, cx-dev-assist 1.7.0), and the Bitwarden CLI npm package (@bitwarden/[email protected]).
All five vectors shared the same C2 domain (checkmarx[.]zone), the same encryption scheme (tpcp.tar.gz), and the same target list of approximately 40 credential types — yet each vector used a delivery mechanism tailored to its ecosystem (Sophos).
Why This Matters More Than a Typical Breach
Think of it like a burglar who simultaneously picks the front door lock, climbs through a window, comes up through the basement, enters via the garage, and uses a stolen key — all at the same time. Traditional incident response assumes one attack vector at a time. TeamPCP shattered that assumption.
The attack surface was not a single software package. It was the entire trust chain — from code scanning to password management to container images to IDE extensions.
Bitwarden CLI: When Your Password Manager Becomes the Weapon
The compromise of @bitwarden/[email protected] is a case study in irony: a password manager — the tool designed to protect credentials — was weaponized to steal them (Endor Labs).
The injected payload, bw1.js, scraped GitHub tokens from Runner.Worker memory, AWS/Azure/GCP credentials, SSH keys, .npmrc files, and even Claude AI and MCP configuration files — roughly 40 credential types in total.
93 Minutes of Exposure
The malicious version was live for exactly 93 minutes on April 22, between 5:57 PM and 7:30 PM Eastern Time (Bitwarden). In that window, anyone running npm install @bitwarden/cli pulled the poisoned package.
What made this particularly dangerous was the worm capability: stolen npm tokens were used to republish packages the victim had write access to, and GitHub Actions workflows were injected into repositories — creating a cascading chain of compromise.
The payload included a Russian locale kill switch, Dune-themed repository naming conventions, and an ideological manifesto referencing “Butlerian Jihad” — unusual markers that may aid attribution but did not slow the attack’s effectiveness.
CanisterSprawl: The First Self-Propagating Supply Chain Worm
FIG-02
CanisterSprawl: First Self-Propagating npm Supply Chain Worm
SOURCE: CSA, Socket, StepSecurity (April 2026)
If the Checkmarx campaign represented coordinated breadth, CanisterSprawl represented a terrifying new depth. Discovered on April 21-22, this npm worm is the first fully self-propagating supply chain attack in the npm ecosystem’s history (CSA).
The mechanics are elegant in their malice: the worm executes via a postinstall hook, harvests roughly 40 types of secrets using regex pattern matching, finds npm publish tokens, and then automatically bumps patch versions of every package the victim has publish rights to — re-infecting them with the worm.
If a PyPI token is found, the worm jumps ecosystems entirely. This cross-ecosystem propagation is a first, turning a single npm compromise into a multi-registry threat.
Blockchain-Backed Command and Control
CanisterSprawl’s C2 infrastructure uses an ICP (Internet Computer Protocol) blockchain canister (cjn37-uyaaa-aaaac-qgnva-cai). Unlike traditional servers, blockchain-based C2 cannot be taken down through domain seizure or hosting provider action — the infrastructure is decentralized and censorship-resistant.
At least 16 package versions were confirmed infected, linked to the Namastex Labs organization. The true scope may be larger, as the worm’s self-propagation means every infected developer potentially becomes a distribution vector.
Vercel Breach: The OAuth Trust Chain Collapse
The Vercel breach tells a different but equally alarming story — one about how OAuth trust relationships create invisible credential fan-out (The Hacker News).
The attack chain: a Context.ai employee was infected with Lumma Stealer malware in February 2026. This led to Context.ai’s AWS environment being compromised, which exposed Vercel employee Google Workspace OAuth tokens, granting access to Vercel internal systems and ultimately allowing enumeration of customer project environment variables.
A single Vercel project averages 10-30 environment variables. An organization with 50 projects has 500-1,500 credentials sitting on the platform. The attackers had approximately two months of dwell time — from February through April.
The $2M Ransom Demand
A threat actor claiming affiliation with ShinyHunters demanded $2 million, asserting they had exfiltrated customer data. Vercel confirmed the breach but stated that only non-sensitive default environment variables (not customer-encrypted secrets) were accessible.
The lesson is structural: OAuth connections between services create trust chains that no single vendor fully monitors. When one link breaks, the credential cascade can be staggering.
The Numbers Tell the Story
FIG-03
Software Supply Chain Attacks 2026: Key Metrics
3x
Monthly Attack Growth (2024→2025)
73%
Open-Source Malware YoY Increase
93 min
Bitwarden CLI Exposure Window
~40
Credential Types Targeted by bw1.js
SOURCE: ReversingLabs, Sonatype, Bitwarden, JFrog (2026)
The data paints a picture of systematic escalation:
| Metric | Value | Source |
|---|---|---|
| Monthly supply chain attacks (2024) | 13 incidents | ReversingLabs |
| Monthly supply chain attacks (late 2025) | 41 incidents | ReversingLabs |
| Growth rate | 3x increase | ReversingLabs |
| Open-source malware YoY increase | 73% | Sonatype |
| Bitwarden CLI exposure window | 93 minutes | Bitwarden |
| CanisterSprawl infected packages | 16+ versions | CSA / Socket |
| Vercel attacker dwell time | ~2 months | The Hacker News |
| bw1.js credential types targeted | ~40 types | JFrog / Socket |
| Axios npm weekly downloads | 70-100M | npm |
| LiteLLM PyPI daily downloads | ~3.4M | PyPI |
Two additional high-profile incidents in Q1 2026 underscore the trend: the Axios npm compromise (March 31), attributed to North Korea’s Sapphire Sleet group and affecting a package with 70-100 million weekly downloads, and the LiteLLM PyPI compromise (March 24), targeting roughly 3.4 million daily downloads and over 50 credential types.
The Attacker Playbook: What Changed in 2026
Three structural shifts define the 2026 supply chain attack landscape:
Shift 1: Multi-Vector Coordination
The TeamPCP campaign proved that sophisticated actors no longer attack one vector at a time. Five simultaneous compromises across GitHub Actions, Docker Hub, VS Code, npm, and CI credentials means defenders need multi-front incident response capabilities.
Shift 2: Self-Propagation
CanisterSprawl eliminated the need for attackers to identify and target individual packages. The worm propagates autonomously, turning every infected developer into an unwitting distributor. This changes the math from “how many packages can we poison” to “how many developers can one infection reach.”
Shift 3: Takedown-Resistant Infrastructure
Blockchain C2 (ICP canisters), Dune-themed operational security, and cross-ecosystem propagation all point to attackers investing in persistence. The days of a quick domain takedown ending a campaign are numbered.
The Defender’s Checklist: Five Actions for Right Now
Based on the April 2026 incidents, here are five immediate actions every development team should implement:
Pin GitHub Actions to commit SHA, not tags. The Checkmarx campaign exploited tag-based references. SHA pinning ensures you run exactly the code you audited — tags can be moved to point to compromised commits.
Enforce minimal-privilege, short-lived tokens for npm/PyPI. CanisterSprawl’s entire propagation mechanism depends on finding publish tokens with broad scope. Scoped, time-limited tokens reduce blast radius.
Migrate environment variables to dedicated secrets managers. The Vercel breach exposed the risk of platform-stored environment variables. Vault, AWS Secrets Manager, or Azure Key Vault provide encryption at rest, access logging, and rotation capabilities that platform environment variables do not.
Audit OAuth app permissions quarterly — revoke unused grants. The Vercel attack chain started with an OAuth trust relationship. Most organizations have dozens of OAuth connections they have never audited.
Monitor CI runner outbound network traffic and enforce IMDS v2. bw1.js exfiltrated credentials to external C2 domains. Outbound allow-listing on CI runners — combined with IMDS v2 enforcement to prevent cloud metadata theft — would have detected or blocked the exfiltration.
South Korea: The Supply Chain Security Gap
South Korea’s software ecosystem faces unique supply chain security challenges. At NetSec-KR 2026, experts emphasized that supply chain security is no longer a developer-only concern — it requires enterprise-wide participation (DailySeCu).
SK Shieldus identified software supply chain attacks as a top-tier threat in their 2026 threat landscape report, noting that Korean enterprises’ heavy reliance on open-source components makes them particularly vulnerable to the exact attack patterns seen in April (SK Shieldus).
The EU’s Cyber Resilience Act (CRA) will mandate SBOM (Software Bill of Materials) requirements starting 2026, with full enforcement by 2027. Korean exporters to the EU market will need to comply — and the April attacks demonstrate exactly why these requirements exist.
What Korean Development Teams Should Do
Korean organizations using Checkmarx, Bitwarden CLI, or Vercel in their CI/CD pipelines should immediately audit for indicators of compromise from the April campaigns. The 93-minute Bitwarden window and two-month Vercel dwell time mean exposure may have gone undetected.
Korean SBOM adoption remains behind the EU and US timelines. The April incidents provide a concrete business case for accelerating SBOM implementation — not as a compliance checkbox, but as a genuine security control.
FAQ
Q. What is a software supply chain attack? A. A software supply chain attack compromises a trusted component — such as an open-source package, CI/CD tool, or development platform — to distribute malware to downstream users. Instead of attacking targets directly, attackers poison the tools and libraries developers already depend on, gaining access to potentially thousands of organizations through a single compromise.
Q. How can I check if my organization was affected by the April 2026 attacks? A. Review your npm lock files for @bitwarden/[email protected] (the malicious version), check Docker images for KICS v2.1.20/alpine/v2.1.21, audit VS Code extensions for ast-results 2.53.0 or cx-dev-assist 1.7.0, and review OAuth permissions for any Context.ai or Vercel-related grants from February-April 2026. Bitwarden’s official statement provides detailed indicators of compromise.
Q. Why are software supply chain attacks increasing so rapidly in 2026? A. Three factors drive the acceleration: the growing dependency on open-source components (average application uses 200+ packages), the discovery that CI/CD pipelines store high-value credentials with broad access, and the emergence of self-propagating techniques like CanisterSprawl that turn single compromises into autonomous campaigns. The economics favor attackers — one poisoned package can reach millions of installations.
Q. What is an SBOM and why does it matter for supply chain security? A. An SBOM (Software Bill of Materials) is a comprehensive inventory of every component, library, and dependency in a software product. It matters because you cannot defend what you cannot see. When Bitwarden CLI was compromised, organizations with SBOMs could instantly identify whether they were using the affected version. Those without SBOMs had to manually audit their environments — a process that takes hours or days while attackers are actively exfiltrating credentials.
References
- Bitwarden Statement on Checkmarx Supply Chain Incident
- GitGuardian: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours
- ReversingLabs 2026 Software Supply Chain Security Report
- Group-IB: Supply Chain Attacks Top Global Cyber Threat
- Sonatype 2026 State of the Software Supply Chain
- Sophos: Supply Chain Attacks Hit Checkmarx and Bitwarden
- Endor Labs: Inside the Bitwarden CLI Supply Chain Attack
- CSA Research Note: npm CanisterSprawl Supply Chain Worm
- DailySeCu: NetSec-KR 2026 Supply Chain Security
- SK Shieldus: SW Supply Chain Threat Report
- TeamPCP Campaign Update 008 — IBVL
This article is for informational and analytical purposes only. The ByteDive does not provide cybersecurity consulting services. Organizations should consult qualified security professionals for incident response and remediation specific to their environments.
Bottom Line. Software supply chain attacks in 2026 have crossed a structural threshold — from isolated package poisoning to coordinated, self-propagating, cross-ecosystem campaigns that weaponize the tools defenders rely on most.
Career Takeaway. If your CI/CD pipeline still references GitHub Actions by tag, stores secrets in platform environment variables, or has OAuth grants you have never audited — the April 2026 incidents are a direct warning. The 93-minute Bitwarden window proves that modern supply chain attacks move faster than human incident response. Automation is no longer optional — it is the only defense that operates at attacker speed.