T1195.001Compromise Software Dependencies and Development Tools
99%
“encrypting everything before exfiltration. the payload swept up any api keys stored in environment variables. teampcp likely orchestrated the attack, based on posts they published on x immediately after disclosure. this would be the group ' s second checkmarx attack in two months…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
88%
“channel. socket ' s follow - up investigation linked compromised namastex. ai npm packages to the same core methods : install - time execution, credential theft, off - host exfiltration to canister - backed infrastructure, and self - propagation logic. campaign 3 - xinference : t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
86%
“no off season : three supply chain campaigns hit npm, pypi, and docker hub in 48 hours after a few quieter weeks, three supply chain attacks put secrets back in the spotlight. between april 21 and 23, 2026, three distinct attacks hit npm, pypi, and docker hub simultaneously. thei…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
79%
“encrypting everything before exfiltration. the payload swept up any api keys stored in environment variables. teampcp likely orchestrated the attack, based on posts they published on x immediately after disclosure. this would be the group ' s second checkmarx attack in two months…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
60%
“, three ecosystems, one objective. none of these attacks aimed to disrupt software delivery or corrupting build outputs. every payload, from the canistersprawl worm to the trojanized kics scanner to the xinference stealer, was engineered to do one thing : extract credentials from…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
44%
“channel. socket ' s follow - up investigation linked compromised namastex. ai npm packages to the same core methods : install - time execution, credential theft, off - host exfiltration to canister - backed infrastructure, and self - propagation logic. campaign 3 - xinference : t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1552.001Credentials In Files
35%
“no off season : three supply chain campaigns hit npm, pypi, and docker hub in 48 hours after a few quieter weeks, three supply chain attacks put secrets back in the spotlight. between april 21 and 23, 2026, three distinct attacks hit npm, pypi, and docker hub simultaneously. thei…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Three supply chain attacks hit npm, PyPI, and Docker Hub between April 21–23, 2026. All three targeted secrets: API keys, cloud credentials, SSH keys, and tokens from developer environments and CI/CD pipelines.