atthacked / news desk / teampcp-supply-chain-three-compromises
Back to The News Desk
TeamPCP supply-chain campaign: 26-day pause, three concurrent compromises, then back to work A campaign that goes quiet then re-fires across three ecosystems at once. Defenders' mental model needs to include intermittency, not just persistence. // SUPPLY-CHAIN INTEL   ·   27 APR 2026 UNCLASSIFIED // PUBLIC SIG · d40fdbcb60e1bd59 SOURCE · isc.sans.edu ATTACK GRAPH · LATERAL PROPAGATION TEAM TeamPCP CHEC Checkmarx KICS BITW Bitwarden CLI XINF xinference PyPI CANI CanisterSprawl npm CUST Customer build INFECTED TARGET CLEAN
// News Desk · 27 April 2026 · supply chain · commentary

TeamPCP supply-chain campaign: 26-day pause, three concurrent compromises, then back to work

A campaign that goes quiet then re-fires across three ecosystems at once. Defenders' mental model needs to include intermittency, not just persistence.

The TeamPCP supply-chain campaign — the cluster best known for compromising Cisco source code via the Trivy supply chain in late 2025 — has re-fired after a 26-day pause. SANS Internet Storm Center’s update this week covers three concurrent compromises that landed inside 48 hours: Checkmarx KICS, Bitwarden CLI Cascade, and the xinference package on PyPI. A separately tracked npm worm called CanisterSprawl has been added to the cluster’s attribution graph in the same write-up.

Three concurrent compromises in 48 hours is an interesting operational signature. It implies the actor was not idle during the quiet phase — the access, infrastructure, and publisher-account compromises were almost certainly accumulated continuously, then drawn upon for a coordinated release. The 26-day pause is the campaign’s pacing strategy, not its capability ceiling.

The interesting bit for defenders is the behaviour, not the technical detail of any one compromise. Persistent campaigns that go through extended quiet phases break the muscle memory most security teams build up around active-incident response. The detection signal goes down. The threat-intelligence feeds reduce their coverage. The internal Slack channel stops paying attention. The CISO stops asking about it on the weekly. Then three new compromises drop in 48 hours and everyone’s caught flat-footed because the institutional attention had moved elsewhere two weeks ago.

Two operational responses help against this class of attacker. The first is to memorialise the campaign in a tracking artefact that lives beyond the active phase: an IOC list, the named maintainer accounts, the affected ecosystems, the publisher signatures the cluster has used. Make it the kind of thing your detection pipelines re-check on every package update, even when the campaign is publicly quiet. The second is to pre-decide who is reading the supply-chain threat-intelligence feeds during the quiet phases. If “no-one” is the honest answer when nothing is on fire, you do not have a supply-chain security programme; you have a supply-chain incident-response programme that wakes up when something breaks. They are not the same thing.

The TeamPCP cadence — long quiet phases, sudden multi-ecosystem releases — is going to become more common, not less. Plan accordingly.

Sources

Back to The News Desk