The TeamPCP supply chain campaign, associated with UNC6780 and their credential stealer SANDCLOCK, resumed activity after a 26-day pause with three simultaneous compromises affecting Checkmarx KICS, Bitwarden CLI Cascade, and xinference PyPI. The campaign previously focused on credential monetization following a Cisco source code theft via Trivy-linked credentials. Despite the lapse of a CISA KEV remediation deadline for CVE-2026-33634, no standalone federal advisory has been issued. The campaign's leak infrastructure (CipherForce) remains offline, and no public data dumps have occurred since the last update. The recent activity period (April 20-26, 2026) shows a notable shift in technical compromises, including identification of a CanisterSprawl npm worm and renewed Tier 1 coverage. No patch or mitigation details are provided in the source.

The campaign involves supply chain compromises affecting multiple software components and tools, potentially enabling unauthorized access or code execution. However, there is no evidence of active exploitation in the wild at this time. The impact is currently limited to the identified compromises without broader public data leaks or widespread exploitation. The severity is considered low based on the absence of known active exploits and limited public impact.

Patch status is not yet confirmed — check the vendor advisories for Checkmarx KICS, Bitwarden CLI, xinference PyPI, and related components for current remediation guidance. Since no official patch or mitigation details are provided in the update, organizations should monitor vendor communications closely. No specific mitigation steps are recommended beyond staying informed and applying vendor patches when available.