惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Threat Research - Cisco Blogs
Latest news
Latest news
Project Zero
Project Zero
TaoSecurity Blog
TaoSecurity Blog
Cyberwarzone
Cyberwarzone
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Google DeepMind News
Google DeepMind News
P
Privacy & Cybersecurity Law Blog
T
Troy Hunt's Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
Hacker News: Ask HN
Hacker News: Ask HN
S
Security @ Cisco Blogs
C
Cisco Blogs
Help Net Security
Help Net Security
I
Intezer
W
WeLiveSecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
腾讯CDC
S
Secure Thoughts
MyScale Blog
MyScale Blog
Recorded Future
Recorded Future
G
GRAHAM CLULEY
L
LINUX DO - 热门话题
A
About on SuperTechFans
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
J
Java Code Geeks
The Hacker News
The Hacker News
阮一峰的网络日志
阮一峰的网络日志
Scott Helme
Scott Helme
Recent Announcements
Recent Announcements
AI
AI
Cisco Talos Blog
Cisco Talos Blog
B
Blog RSS Feed
V
Vulnerabilities – Threatpost
C
Check Point Blog
Security Latest
Security Latest
S
SegmentFault 最新的问题
T
The Exploit Database - CXSecurity.com
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
M
MIT News - Artificial intelligence
T
The Blog of Author Tim Ferriss
Attack and Defense Labs
Attack and Defense Labs
PCI Perspectives
PCI Perspectives
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research

SANS Internet Storm Center, InfoCON: green

From a VHDX File to a Remcos RAT - SANS Internet Storm Center ISC Stormcast For Tuesday, June 16th, 2026 https://isc.sans.edu/podcastdetail/9974 Evil MSI Background: BASE64 Statistical Analysis - SANS ISC ISC Stormcast For Monday, June 15th, 2026 https://isc.sans.edu/podcastdetail/9972 ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970 ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968 How has use of framing protection security headers changed in the past 3 years? ISC Stormcast For Wednesday, June 10th, 2026 https://isc.sans.edu/podcastdetail/9966 Microsoft June 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, June 9th, 2026 https://isc.sans.edu/podcastdetail/9964 TeamPCP Supply Chain Campaign: Activity Through 2026-06-07 ISC Stormcast For Monday, June 8th, 2026 https://isc.sans.edu/podcastdetail/9962 The Evil MSI Background is Back! - SANS Internet Storm Center ISC Stormcast For Friday, June 5th, 2026 https://isc.sans.edu/podcastdetail/9960 Microsoft's Coreutils for Windows - SANS Internet Storm Center ISC Stormcast For Thursday, June 4th, 2026 https://isc.sans.edu/podcastdetail/9958 Continuing Scans for swagger.json - SANS Internet Storm Center ISC Stormcast For Wednesday, June 3rd, 2026 https://isc.sans.edu/podcastdetail/9956 New Wave Of Phishing Emails with SVG Files - SANS ISC ISC Stormcast For Tuesday, June 2nd, 2026 https://isc.sans.edu/podcastdetail/9954 ISC Stormcast For Monday, June 1st, 2026 https://isc.sans.edu/podcastdetail/9952 Unidentified RAT pushes NetSupport RAT - SANS ISC YARA-X 1.17.0 Release - SANS Internet Storm Center ISC Stormcast For Friday, May 29th, 2026 https://isc.sans.edu/podcastdetail/9950 Analysis of a Year of Files Uploaded to DShield Sensors ISC Stormcast For Thursday, May 28th, 2026 https://isc.sans.edu/podcastdetail/9948 Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs ISC Stormcast For Wednesday, May 27th, 2026 https://isc.sans.edu/podcastdetail/9946 ISC Stormcast For Tuesday, May 26th, 2026 https://isc.sans.edu/podcastdetail/9944 Possible ACR Stealer From Page Impersonating Claude Microsoft Access VBA - SANS Internet Storm Center Wireshark 4.6.6 Released - SANS Internet Storm Center An Example of Stack String in High Level Language - SANS ISC Cross-Platform NPM Stealer - SANS Internet Storm Center ISC Stormcast For Friday, May 22nd, 2026 https://isc.sans.edu/podcastdetail/9942 Selective HTTP Proxying in Linux - SANS Internet Storm Center ISC Stormcast For Thursday, May 21st, 2026 https://isc.sans.edu/podcastdetail/9940 ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938 ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17 [Guest Diary] New Malware Libraries means New Signatures ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934 Simple bypass of the link preview function in Outlook Junk folder ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932 [GUEST DIARY] Tearing apart website fraud to see how it works. ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930 Proxying the Unproxyable? Sending EXE traffic to a Proxy Microsoft May 2026 Patch Tuesday - SANS Internet Storm Center ISC Stormcast For Tuesday, May 12th, 2026 https://isc.sans.edu/podcastdetail/9928 Apple Patches Everything - SANS Internet Storm Center Why we use CAPTCHAs - SANS Internet Storm Center ISC Stormcast For Monday, May 11th, 2026 https://isc.sans.edu/podcastdetail/9926 YARA-X 1.16.0 Release - SANS Internet Storm Center Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924 ISC Stormcast For Wednesday, May 6th, 2026 https://isc.sans.edu/podcastdetail/9920 Cleartext Passwords in MS Edge? In 2026? - SANS ISC SSL.com rotates their root certificate today - SANS ISC ISC Stormcast For Tuesday, May 5th, 2026 https://isc.sans.edu/podcastdetail/9918 TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03) DShield Honeypot Update - SANS Internet Storm Center ISC Stormcast For Monday, May 4th, 2026 https://isc.sans.edu/podcastdetail/9916 Wireshark 4.6.5 Released - SANS Internet Storm Center Malicious Ad for Homebrew Leads to MacSync Stealer ISC Stormcast For Friday, May 1st, 2026 https://isc.sans.edu/podcastdetail/9914 ISC Stormcast For Thursday, April 30th, 2026 https://isc.sans.edu/podcastdetail/9912 Danger of Libredtail [Guest Diary] - SANS Internet Storm Center Today's Odd Web Requests - SANS Internet Storm Center ISC Stormcast For Wednesday, April 29th, 2026 https://isc.sans.edu/podcastdetail/9910 HTTP Requests with X-Vercel-Set-Bypass-Cookie Header ISC Stormcast For Tuesday, April 28th, 2026 https://isc.sans.edu/podcastdetail/9908 ISC Stormcast For Friday, April 24th, 2026 https://isc.sans.edu/podcastdetail/9906 Apple Patches Exploited Notification Flaw - SANS ISC ISC Stormcast For Thursday, April 23rd, 2026 https://isc.sans.edu/podcastdetail/9904 ISC Stormcast For Wednesday, April 22nd, 2026 https://isc.sans.edu/podcastdetail/9902 [Guest Diary] Beyond Cryptojacking: Telegram tdata as a Credential Harvesting Vector, Lessons from a Honeypot Incident, (Wed, Apr 22nd) A .WAV With A Payload - SANS Internet Storm Center ISC Stormcast For Tuesday, April 21st, 2026 https://isc.sans.edu/podcastdetail/9900 Handling the CVE Flood With EPSS - SANS Internet Storm Center ISC Stormcast For Monday, April 20th, 2026 https://isc.sans.edu/podcastdetail/9898 ISC Stormcast For Friday, April 17th, 2026 https://isc.sans.edu/podcastdetail/9896 Lumma Stealer infection with Sectop RAT (ArechClient2) ISC Stormcast For Thursday, April 16th, 2026 https://isc.sans.edu/podcastdetail/9894 [Guest Diary] Compromised DVRs and Finding Them in the Wild ISC Stormcast For Wednesday, April 15th, 2026 https://isc.sans.edu/podcastdetail/9892 Scanning for AI Models - SANS Internet Storm Center Microsoft Patch Tuesday April 2026. - SANS ISC ISC Stormcast For Tuesday, April 14th, 2026 https://isc.sans.edu/podcastdetail/9890 Scans for EncystPHP Webshell - SANS Internet Storm Center ISC Stormcast For Monday, April 13th, 2026 https://isc.sans.edu/podcastdetail/9888 Obfuscated JavaScript or Nothing - SANS Internet Storm Center ISC Stormcast For Thursday, April 9th, 2026 https://isc.sans.edu/podcastdetail/9886 Number Usage in Passwords: Take Two - SANS ISC TeamPCP Supply Chain Campaign: Update 007 - Cisco Source Code Stolen via Trivy-Linked Breach, Google GTIG Tracks TeamPCP as UNC6780, and CISA KEV Deadline Arrives with No Standalone Advisory More Honeypot Fingerprinting Scans - SANS Internet Storm Center ISC Stormcast For Wednesday, April 8th, 2026 https://isc.sans.edu/podcastdetail/9884 A Little Bit Pivoting: What Web Shells are Attackers Looking for? ISC Stormcast For Tuesday, April 7th, 2026 https://isc.sans.edu/podcastdetail/9882 How often are redirects used in phishing in 2026? - SANS ISC ISC Stormcast For Monday, April 6th, 2026 https://isc.sans.edu/podcastdetail/9880
TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns
2026-04-27 · via SANS Internet Storm Center, InfoCON: green

This update succeeds TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left the campaign in credential-monetization mode following the Cisco source code theft via Trivy-linked credentials, Google GTIG's formal designation of the operators as UNC6780 (with their credential stealer named SANDCLOCK), and the lapsed CISA KEV remediation deadline for CVE-2026-33634 with no standalone federal advisory. The Sportradar publication deadline flagged in Update 007 (approximately April 10 to 11) lapsed without a public CipherForce dump, and CipherForce's leak infrastructure has remained offline. Twelve days after Update 007, the technical compromise picture changed sharply across the W17 window (April 20 through April 26).

The most significant development of the week was the end of TeamPCP's 26-day supply chain compromise pause, with three concurrent package compromises landing across npm, PyPI, and Docker Hub between April 21 and 22. The Checkmarx KICS Docker Hub repository was compromised on April 22 (claimed by TeamPCP via @pcpcats), the xinference PyPI package was poisoned the same day with a TeamPCP marker that the group publicly denied, and a self-propagating npm worm tracked as CanisterSprawl was identified by Socket and StepSecurity beginning April 21. The KICS Docker compromise then cascaded into a downstream compromise of @bitwarden/cli version 2026.4.0 the same evening when Bitwarden's Dependabot automation pulled the malicious checkmarx/kics:latest image into the Bitwarden CI/CD pipeline. Reporting suggests the campaign has visibly returned to its technical-discovery and active-compromise phase after spending most of April in credential-monetization mode; analysts assess the operators retain full operational capability despite the prior month's monetization failures.

Dated event log

  • The supply chain pause ended decisively. Prior weekly and daily updates documented an approximately 26-day gap from the Telnyx PyPI disclosure (March 27) without new package compromises, and the W16 weekly characterized the campaign as being in a "credential monetization phase" rather than active compromise. The April 21 to 22 cluster of three new compromises across three different ecosystems (npm, PyPI, Docker Hub) ends that pause and demonstrates the operators retained the access, the publishing-credential foothold, and the operational tempo to mount synchronized multi-ecosystem operations. The KICS compromise specifically used valid Checkmarx publisher credentials, which suggests the credential-theft pipeline from prior campaigns has produced reusable access into vendor publishing infrastructure beyond the originally compromised ecosystems.
  • Cascading impact from one compromise to another is now empirically demonstrated. The Bitwarden CLI compromise was not a separate intrusion: it was a downstream consequence of the KICS Docker image push, propagated through Bitwarden's trusted Dependabot automation. Reporting suggests this is the first documented case in this campaign of a compromise of one popular developer tool automatically poisoning the build pipeline of another popular developer tool through ordinary dependency-update automation. Analysts assess this validates a long-flagged theoretical risk: in a supply chain campaign where security tooling is the target, automated pull-through compromises will compound exponentially with the popularity and trust of each compromised artifact.
  • The "TeamPCP claims one, denies the other" pattern is analytically significant. In the same 24 hour window, TeamPCP explicitly took credit for Checkmarx (via the @pcpcats account, with taunting language) but explicitly denied the xinference compromise that bore its branding marker. Both attacks share TeamPCP's operational signature (double base64 encoding, detached subprocess on import, exhaustive credential sweep). Reporting suggests three possible explanations: (1) genuine copycat or splinter actor reusing leaked TeamPCP tooling; (2) deliberate false flag by TeamPCP intended to muddy attribution; or (3) operational discipline whereby TeamPCP claims compromises it considers high-prestige (a security vendor) and disowns those it considers low-prestige or unprofitable (an inference framework with low corporate footprint). Analysts assess explanation (1) is most likely given the simultaneous scaling of the broader extortion ecosystem (Vect, ShinyHunters, CanisterSprawl), but cannot rule out the others.
  • Tier 1 coverage returned in force after six quiet weeks. BleepingComputer, Dark Reading, SecurityWeek, The Hacker News, and Cybernews all published original TeamPCP-related reporting during the target week, ending the longest dry spell since the campaign began. The catalyst was new technical compromise events rather than victim disclosures, consistent with the W16 analyst observation that mainstream coverage of this campaign is driven by novel compromises rather than ongoing extortion activity.
  • Vect's leak site went quiet despite prior projections. The W16 weekly identified a 9 day 8 hour negotiation countdown on the Guesty listing that placed expected publication around April 24. Monitoring of ransomware.live during the target week shows Vect's victim count remained at 25, with no new TeamPCP-tagged listings and no public publication of Guesty or S&P Global data through April 26. Reporting suggests one of three possibilities: (1) negotiations are progressing privately, (2) Vect is conserving public output while TeamPCP regains technical operational focus, or (3) the publishing infrastructure once again hit a disruption. Analysts assess this is the third consecutive lapsed Vect-or-CipherForce monetization deadline (after ShinyHunters/Cisco approximately April 3 and CipherForce/Sportradar approximately April 10 to 11), which is now a robust pattern.

Watch items

  • xinference attribution resolution. Vendor analyses from JFrog, OX Security, StepSecurity, and Mend disagree on whether xinference is genuine TeamPCP, a copycat, or a deliberate false flag. The next coherent statement from Mandiant or GTIG (which formally tracks TeamPCP as UNC6780) will likely settle the question and is worth monitoring; absent that, watch for additional compromises bearing the same operator marker that TeamPCP either claims or denies, which would clarify the discipline-versus-copycat hypothesis.
  • Cascading downstream impact through Dependabot or similar automation. The Bitwarden CLI compromise is the first documented automation-pivoted cascade in this campaign. Watch for additional disclosed cases in the coming week, particularly from organizations whose CI/CD pipelines pulled checkmarx/kics during the April 22 14:17:59 UTC to 15:41:31 UTC window. Endor Labs and StepSecurity have published detection guidance; victim disclosures are likely to materialize on a 3 to 14 day delay as organizations complete forensic review of their own April 22 build artifacts.
  • CanisterSprawl ecosystem jump. Socket and StepSecurity flagged that CanisterSprawl jumps to PyPI when it discovers a PyPI publish token. Watch for the first confirmed PyPI compromise that shares CanisterSprawl indicators (ICP canister C2, postinstall execution pattern, the specific 40-category regex sweep), which would convert the cross-ecosystem capability from theoretical to demonstrated.
  • CISA standalone advisory or emergency directive. CISA has not issued a dedicated TeamPCP advisory in the 35 days since adding CVE-2026-33634 to the KEV catalog. Three concurrent compromises affecting Checkmarx, Bitwarden, Xorbits xinference, and Namastex Labs in a single 48 hour window during a sitting federal civilian remediation cycle creates additional pressure for a standalone advisory. Watch for any CISA, FBI, or Five Eyes joint product responsive to W17 events.
  • Vect publication or formal de-escalation. With three consecutive lapsed Vect-or-CipherForce monetization deadlines, watch for either a delayed public Guesty or S&P Global data dump or a formal Vect statement on the leak site. Continued silence into W18 increasingly favors the hypothesis that the TeamPCP-affiliated extortion arm is operationally constrained rather than tactically patient.

Source index

Tier 1 (major security publications)

Tier 2 (vendor threat intelligence)

Tier 3 (government or institutional)

  • No new dedicated CISA, FBI, NCSC, ACSC, CCCS, BSI, or Singapore CSA advisories have been reported for TeamPCP-related activity during the target week based on monitoring of the listed sources. The CISA KEV entry for CVE-2026-33634 from late March remains the only US federal action and was not updated this week. CERT-EU has not issued a follow-on bulletin to the European Commission disclosure. No Five Eyes joint advisory has been identified. The supply chain attacks on April 21 to 22 were sufficiently public to generate Tier 1 coverage; the absence of a corresponding CISA standalone advisory or emergency directive is itself a continuing signal.

Tier 4 (social and dark web signal)