TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)
This update succeeds&#;x26;#;xc2;&#;x26;#;xa0;TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left the campaign in credential-monetization mode following the Cisco source code theft via Trivy-linked credentials, Google GTIG&#;x26;#;39;s formal designation of the operators as UNC6780 (with their credential stealer named SANDCLOCK), and the lapsed CISA KEV remediation deadline for CVE-2026-33634 with no standalone federal advisory. The Sportradar publication deadline flagged in Update 007 (approximately April 10 to 11) lapsed without a public CipherForce dump, and CipherForce&#;x26;#;39;s leak infrastructure has remained offline. Twelve days after Update 007, the technical compromise picture changed sharply across the W17 window (April 20 through April 26).
AI Analysis
Technical Summary
The TeamPCP supply chain campaign, associated with UNC6780 and their credential stealer SANDCLOCK, resumed activity after a 26-day pause with three simultaneous compromises affecting Checkmarx KICS, Bitwarden CLI Cascade, and xinference PyPI. The campaign previously focused on credential monetization following a Cisco source code theft via Trivy-linked credentials. Despite the lapse of a CISA KEV remediation deadline for CVE-2026-33634, no standalone federal advisory has been issued. The campaign's leak infrastructure (CipherForce) remains offline, and no public data dumps have occurred since the last update. The recent activity period (April 20-26, 2026) shows a notable shift in technical compromises, including identification of a CanisterSprawl npm worm and renewed Tier 1 coverage. No patch or mitigation details are provided in the source.
Potential Impact
The campaign involves supply chain compromises affecting multiple software components and tools, potentially enabling unauthorized access or code execution. However, there is no evidence of active exploitation in the wild at this time. The impact is currently limited to the identified compromises without broader public data leaks or widespread exploitation. The severity is considered low based on the absence of known active exploits and limited public impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisories for Checkmarx KICS, Bitwarden CLI, xinference PyPI, and related components for current remediation guidance. Since no official patch or mitigation details are provided in the update, organizations should monitor vendor communications closely. No specific mitigation steps are recommended beyond staying informed and applying vendor patches when available.
TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)
Description
This update succeeds&#;x26;#;xc2;&#;x26;#;xa0;TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left the campaign in credential-monetization mode following the Cisco source code theft via Trivy-linked credentials, Google GTIG&#;x26;#;39;s formal designation of the operators as UNC6780 (with their credential stealer named SANDCLOCK), and the lapsed CISA KEV remediation deadline for CVE-2026-33634 with no standalone federal advisory. The Sportradar publication deadline flagged in Update 007 (approximately April 10 to 11) lapsed without a public CipherForce dump, and CipherForce&#;x26;#;39;s leak infrastructure has remained offline. Twelve days after Update 007, the technical compromise picture changed sharply across the W17 window (April 20 through April 26).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The TeamPCP supply chain campaign, associated with UNC6780 and their credential stealer SANDCLOCK, resumed activity after a 26-day pause with three simultaneous compromises affecting Checkmarx KICS, Bitwarden CLI Cascade, and xinference PyPI. The campaign previously focused on credential monetization following a Cisco source code theft via Trivy-linked credentials. Despite the lapse of a CISA KEV remediation deadline for CVE-2026-33634, no standalone federal advisory has been issued. The campaign's leak infrastructure (CipherForce) remains offline, and no public data dumps have occurred since the last update. The recent activity period (April 20-26, 2026) shows a notable shift in technical compromises, including identification of a CanisterSprawl npm worm and renewed Tier 1 coverage. No patch or mitigation details are provided in the source.
Potential Impact
The campaign involves supply chain compromises affecting multiple software components and tools, potentially enabling unauthorized access or code execution. However, there is no evidence of active exploitation in the wild at this time. The impact is currently limited to the identified compromises without broader public data leaks or widespread exploitation. The severity is considered low based on the absence of known active exploits and limited public impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisories for Checkmarx KICS, Bitwarden CLI, xinference PyPI, and related components for current remediation guidance. Since no official patch or mitigation details are provided in the update, organizations should monitor vendor communications closely. No specific mitigation steps are recommended beyond staying informed and applying vendor patches when available.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/32926","fetched":true,"fetchedAt":"2026-04-27T14:15:06.813Z","wordCount":2590}
Threat ID: 69ef6f6aba26a39fba2fe8d4
Added to database: 4/27/2026, 2:15:06 PM
Last enriched: 4/27/2026, 2:15:17 PM
Last updated: 6/12/2026, 1:58:32 AM
Views: 139
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.