TL;DR

Between 21 and 23 April 2026, three separate supply chain campaigns hit npm, PyPI, and Docker Hub simultaneously. A compromised security scanner (Checkmarx KICS), a self-propagating worm (CanisterSprawl), and a credential-stealing PyPI package (xinference) all targeted the same prize: your CI/CD secrets, cloud tokens, and SSH keys. If your business runs npm install, pip install, or pulls Docker images, you were in the blast radius. Lock your dependencies, pin your hashes, and rotate your secrets now.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​

April 2026: The Week Supply Chain Security Broke

For three days in late April, the software supply chain became a shooting gallery. Three distinct threat actors — or one highly coordinated group — launched simultaneous attacks across the ecosystems that Australian developers trust every time they type npm install or docker pull.

None of these attacks aimed to break your app. They aimed to steal the keys to your kingdom: GitHub tokens, AWS credentials, npm publish rights, SSH keys, and environment variables. And in several cases, the malware was designed to spread itself automatically.​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​

​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​

Incident 1: Checkmarx KICS — The Security Scanner That Turned on Its Users

On 22 April, Docker flagged suspicious activity on the official checkmarx/kics repository. KICS (Keeping Infrastructure as Code Secure) is a security scanner used by thousands of engineering teams — including many Australian consultancies and MSPs — to scan Terraform and Kubernetes manifests inside CI/CD pipelines.

The compromised Docker images contained an obfuscated payload that harvested GitHub authentication tokens, AWS, Azure, and Google Cloud credentials, npm configuration files, SSH keys, and every environment variable it could reach. Everything was compressed, encrypted, and exfiltrated.

The blast radius was massive: any pipeline that pulled checkmarx/kics:latest during the compromise window handed its secrets to the attacker. The threat actor group TeamPCP claimed responsibility on X immediately after disclosure. This was their second Checkmarx attack in two months.

The lesson: tools you run inside CI/CD have access to everything your pipeline touches. A compromised scanner is a skeleton key.

Incident 2: CanisterSprawl — The Worm That Jumps Ecosystems

On 21 April, malicious versions of pgserve, a PostgreSQL server for Node.js, appeared on npm. The payload was a credential-harvesting script that executed via a postinstall hook — meaning it ran automatically on every npm install, no user action required.

CanisterSprawl, as tracked by Socket and StepSecurity, searches infected machines for npm publish tokens. For every package the victim can publish, it bumps the patch version, injects itself, and publishes the infected package back to npm. If it finds a PyPI token on the same machine, the worm jumps ecosystems entirely — from npm to Python.

Its command-and-control infrastructure uses an Internet Computer Protocol (ICP) canister, a decentralised channel that is extremely difficult to takedown. Follow-up investigation linked compromised Namastex.ai npm packages to the same methods.

The lesson: a single compromised developer laptop can poison dozens of packages across multiple registries.

Incident 3: xinference — TeamPCP Returns to PyPI

On 22 April, three consecutive releases of xinference on PyPI carried a credential-stealing payload. The malware decoded a second-stage collector that harvested SSH keys, cloud credentials, environment variables, and cryptocurrency wallets.

StepSecurity attributed this to TeamPCP, the same group behind the litellm and telnyx PyPI compromises in March 2026. The xinference payload sent a plain tar.gz directly to the attacker's C2 server — no encryption, no subtlety, just raw exfiltration.

The lesson: threat actors are iterating faster than defenders. TeamPCP moved from npm to PyPI to Docker Hub within weeks, refining their tradecraft each time.

How These Attacks Actually Work

The common thread across all three campaigns: none needed a zero-day vulnerability. Every attack exploited trust.

  • Compromised maintainer credentials: phishing, credential stuffing, or token theft gave attackers publish rights to legitimate packages.
  • Postinstall hooks: malicious code that executes automatically when a package is installed — no user interaction needed.
  • CI/CD pipeline access: once inside a build environment, the malware reads every environment variable, config file, and mounted secret.
  • Self-propagation: harvested npm/PyPI tokens are used to publish infected versions of other packages, creating a chain reaction.

The attackers weren't interested in your source code or your database. They wanted the credentials that let them come back later — or sell access to ransomware operators.

What Australian SMBs Must Do Right Now

You do not need a security operations centre to defend against these attacks. You need discipline.

1. Lock Your Dependencies — Actually Lock Them

  • Use package-lock.json (npm) or yarn.lock and commit it. Never use --no-lockfile.
  • For Python, use pip freeze > requirements.txt with exact versions, or adopt pipenv/poetry lock files.
  • Verify lockfiles haven't been tampered with: npm ci instead of npm install in CI/CD. npm ci respects the lockfile exactly and fails if it doesn't match package.json.

2. Pin to Commit SHAs in GitHub Actions

Never reference a GitHub Action by tag (e.g., actions/checkout@v4). Tags can be moved. Always pin to the full commit SHA:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

Tools like StepSecurity's restrict-github-actions can enforce this automatically.

3. Enable Dependabot or Renovate — But Configure Them Safely

  • Dependabot: enabled natively in GitHub under Settings > Code security > Dependabot alerts. It flags known-vulnerable dependencies and can auto-open PRs.
  • Renovate: more configurable than Dependabot. Pin its version to a commit SHA in your config and set automerge: false for all non-dev dependencies.
  • Critical guardrail: never auto-merge dependency PRs. The GitGuardian analysis of the Checkmarx KICS attack found that automation tools silently merged malware in minutes. Every update PR gets a human review.

4. Audit Your Installed Packages — Today

Run these commands right now:

# npm: check for known compromised versions
npm audit
npm ls axios pgserve chalk debug

# Python: check installed packages
pip list | grep -iE "xinference|litellm|telnyx"

# Docker: check pulled images
docker images | grep -iE "checkmarx|trivy"

If you find compromised versions, update immediately and rotate every secret those CI/CD pipelines had access to.

5. Rotate Secrets Proactively

Assume any secret that touched a CI/CD pipeline in April 2026 is compromised. Rotate:

  • npm and PyPI publish tokens
  • GitHub personal access tokens
  • AWS IAM access keys
  • Docker Hub credentials
  • SSH keys on developer machines and build servers

Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, or even .env files excluded from git) rather than hardcoding credentials in workflow YAML.

FAQ

Q: I'm a 15-person dev shop in Melbourne. Are we really a target? A: You're not the target — your credentials are. These worms don't discriminate. They harvest tokens from every machine they land on, then use those tokens to spread. Size doesn't matter; access does.

Q: We pin versions. Isn't that enough? A: Pinning versions (e.g., [email protected]) protects against malicious updates to the same major version, but if a maintainer's account is compromised and a new patch version is published with malware, your pin still protects you — unless your pin is to a range like ^1.7.9, which will pull in patch updates. Use exact versions in lockfiles, and run npm ci not npm install.

Q: What if we use Renovate or Dependabot? Are we safer or more exposed? A: Both. These tools alert you to known vulnerabilities faster than you'd discover them manually — that's the upside. The downside: if a malicious version is published and your pipeline auto-merges dependency PRs, the malware is deployed in minutes. Turn off auto-merge. Review every update.

Q: How do we know if we were hit by the April 2026 attacks? A: Check your lockfiles for the specific compromised versions (pgserve, [email protected]/0.30.4, xinference), review CI/CD logs for unexpected outbound connections between 21–23 April, and scan for unexpected npm publish or pip publish events from your infrastructure.

Conclusion

The April 2026 supply chain blitz wasn't a sophisticated APT operation exploiting zero-days. It was credential theft at industrial scale, enabled by automation that trusted too much and verified too little.

Australian SMBs running Node.js, Python, or containerised workloads should treat this as a fire drill that already happened. Lock your files. Pin your hashes. Review your merges. Rotate your secrets. The attackers are already iterating on their next campaign.

If you're unsure where to start, visit consult.lil.business for a free, no-obligation cybersecurity assessment tailored to Australian small and medium businesses. We'll review your CI/CD posture, dependency hygiene, and secrets management in one session.

References

  1. No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours — GitGuardian
  2. Software Supply Chain Attacks 2025–2026: Axios, Shai-Hulud, Chalk — Cyber Army
  3. Renovate & Dependabot: The New Malware Delivery System — GitGuardian
  4. GitHub Actions Security Hardening — StepSecurity
  5. Essential Eight Maturity Model — Australian Cyber Security Centre

TL;DR

  • Bad actors snuck harmful code into a popular AI tool called LiteLLM that thousands of businesses use [1].
  • The attack stole passwords, secret keys, and digital wallets from anyone who installed the poisoned version [1].
  • They did it by first compromising a security tool that LiteLLM trusted — like poisoning the water at the treatment plant [2].
  • Here is what it means for your business and how to stay safe.

What Is LiteLLM?

Imagine you run a restaurant and instead of ordering from one food supplier, you want to compare prices from ten different ones. LiteLLM is like a universal ordering app that lets businesses talk to different AI services — ChatGPT, Claude, Gemini — all through one simple connection.

Thousands of companies use it to build AI features into their products [1].

What Went Wrong?

A group of hackers called TeamPCP figured out something clever. Instead of breaking into LiteLLM directly, they first broke into a security scanner called Trivy — a tool that LiteLLM used to check itself for bugs [2].

Think of it this way: imagine a locksmith who checks all the locks in your building gets compromised. Now the attacker does not need to pick any locks — they have the locksmith's master key.

Once inside, TeamPCP published two fake versions of LiteLLM (versions 1.82.7 and 1.82.8) to PyPI, the online store where developers download software [1]. Anyone who downloaded these versions unknowingly installed malware that:

  • Collected passwords and secret keys stored on their computers [1]
  • Spread to other computers on the same network [1]
  • Set up a hidden door that let the hackers come back anytime they wanted [1]

Why Should You Care?

You might not use LiteLLM directly, but your business probably relies on software that works the same way — built from dozens of smaller pieces, each one downloaded from the internet.

According to security research firm Sonatype, attacks on these software building blocks increased by 156% in just one year [3]. And IBM found that when hackers steal login credentials this way, the average cleanup cost is $4.81 million [4].

The Australian Cyber Security Centre has flagged these kinds of attacks as one of the top threats businesses face today [5].

What Can You Do?

Ask your IT team or provider three questions:

  1. "Do we pin our software to specific versions so updates do not happen automatically?" — This stops poisoned updates from sneaking in.

  2. "Do we have tools that scan our software for known threats?" — Free and paid tools exist that check every package you download against a database of known attacks [6].

  3. "If a tool we depend on gets compromised, how quickly would we know?" — The answer tells you whether your business would catch something like this in hours or months.

If you do not have an IT team: Start by keeping an inventory of the software your business uses. Know what you depend on. That awareness alone puts you ahead of most small businesses.

The Simple Takeaway

Every AI tool and every piece of software your business uses is built from smaller parts. If any of those parts gets poisoned, the whole thing becomes dangerous. The best protection is knowing what you depend on and having someone who watches for these threats.

It is like food safety — you trust your suppliers, but smart restaurants still check what arrives at the loading dock.

FAQ

Instead of attacking your business directly, hackers attack the tools or software your business depends on. When you update or install that trusted software, you unknowingly install the attacker's code too. It is like someone tampering with ingredients at a factory — every product made with those ingredients gets affected.

If anyone in your organisation uses Python and has LiteLLM installed, check the version number. Versions 1.82.7 and 1.82.8 were the compromised ones. Run pip list | grep litellm to check. If you see those versions, contact an IT professional immediately.

Very common and growing fast. Sonatype tracked a 156% increase in software supply chain attacks in 2025 [3]. The LiteLLM incident is the fifth software ecosystem TeamPCP has targeted, showing these attackers are becoming more ambitious [2].

No. AI tools can genuinely help your business work smarter and save money. The key is using them with proper safeguards — verified versions, dependency scanning, and regular security reviews. Think of it like driving: cars are useful, but you still wear a seatbelt.

References

[1] Endor Labs, "TeamPCP Isn't Done — LiteLLM Supply Chain Attack Analysis," Endor Labs Research, Mar. 24, 2026. [Online]. Available: https://www.endorlabs.com/learn/teampcp-isnt-done

[2] R. Lakshmanan, "TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 Likely via Trivy CI/CD Compromise," The Hacker News, Mar. 24, 2026. [Online]. Available: https://thehackernews.com/2026/03/teampcp-backdoors-litellm-versions.html

[3] Sonatype, "2025 State of the Software Supply Chain Report," Sonatype, 2025. [Online]. Available: https://www.sonatype.com/state-of-the-software-supply-chain

[4] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[5] Australian Cyber Security Centre, "Annual Cyber Threat Report 2024-2025," Australian Signals Directorate, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/reports-and-statistics/annual-cyber-threat-report

[6] Socket Security, "TeamPCP Targeting Security Tools Across OSS Ecosystem," Socket Blog, Mar. 2026. [Online]. Available: https://socket.dev/blog/teampcp-targeting-security-tools-across-oss-ecosystem

[7] JFrog, "LiteLLM Compromised by TeamPCP — Supply Chain Attack Analysis," JFrog Security Research, Mar. 24, 2026. [Online]. Available: https://research.jfrog.com/post/litellm-compromised-teampcp/

[8] McKinsey & Company, "The State of AI in 2025," McKinsey Global Institute, 2025. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

Wondering if your business software is safe? Talk to lilMONSTER — we help businesses understand their technology risks in plain language.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation