The Pearltech Group  |  Cybersecurity Intelligence
FIRST 48
CISO
Edition
Daily Breach Report
Date
April 28, 2026
Threat Level
■ ELEVATED
Incidents Today
4 Active Incidents
Live Intel  |  Incident Response Intelligence
■ Checkmarx breached twice by TeamPCP: KICS Docker images poisoned, developer credentials at risk   ■   Bitwarden CLI compromised via Checkmarx supply chain vector   ■   Microsoft Windows Shell zero-day CVE-2026-32202 confirmed exploited in the wild   ■   Vercel breach update: Mandiant engaged, OAuth scope expanding   ■   Lapsus$ claims Checkmarx source code and API key dump   ■  
Monday, April 28, 2026  |  Vol. 1, No. 2 First48CISO.com  |  @pearltechgroup  |  Dianne Powers
BREAKING Supply Chain

Checkmarx Breached Twice: The Security Tool That Was Scanning Your Infrastructure Was Stealing It

A security scanner trusted by developers worldwide to find vulnerabilities in their infrastructure code was itself compromised. Twice. In 35 days. The attacker was not just stealing credentials. The tool was generating your scan reports and sending them out the back door.

Itron, the Liberty Lake, Washington company whose smart meters sit inside the electric, gas, and water infrastructure of cities across America, disclosed on Friday that an unauthorized third party accessed its internal systems on April 13. The company filed an SEC 8-K, activated its incident response plan, engaged external advisors, and notified law enforcement.

On the surface, the disclosure reads as controlled. Operations continued. Customer-hosted systems were unaffected. Insurance is expected to cover a significant portion of costs. But read between the lines of the filing and the picture is more troubling: the company is still "evaluating what legal filings and regulatory notifications might be required." That language signals the scope of any data exposure is not yet fully understood.

The attacker did not break into your environment. You invited them in. You ran their Docker image. You trusted their scanner. And while it was looking for your vulnerabilities, it was documenting them for someone else.

Itron's products include smart meters, sensors, and management software used by utilities and municipal governments. Its devices are embedded in the operational backbone of how American cities manage power and water. A persistent attacker inside those corporate systems is one degree of separation from understanding exactly how that infrastructure is mapped, managed, and monetized.

No threat actor has claimed responsibility. TechCrunch noted the company declined to comment on who notified them of the intrusion. That is an unusual gap that suggests the detection may have been external, not internal. As of this writing, the investigation remains open.

First 48 CISO Take

The Friday SEC filing is your first signal. Organizations disclose on Fridays when they hope the news cycle absorbs it quietly. The fact that no attacker has claimed this breach yet. Itron also declined to say who tipped them off. Both gaps suggest this may be an espionage play, not a ransom play. Espionage actors don't wave flags. Your question this week: does your vendor ecosystem include any OT-adjacent infrastructure suppliers? If yes, this is your trigger to review third-party access logs.

Today's Incident Log
Checkmarx / KICS
Dev Security Tools Investigating
Supply Chain / Docker TeamPCP
KICS Docker image poisoned April 22. Malware exfiltrated infrastructure scan data and credentials. Second compromise in 35 days. Lapsus$ claims separate data dump.
Bitwarden CLI
Password Management Contained
npm Supply Chain TeamPCP
Malicious @bitwarden/cli@2026.4.0 live on npm for 93 minutes April 22. No vault data accessed. GitHub tokens and CI/CD secrets at risk for affected developers.
Vercel
Cloud Dev Platform Investigating
OAuth / Browser Ext. Unknown (ShinyHunters claim disputed)
Limited customer credentials compromised. Mandiant engaged. Context.ai browser extension used as initial access vector via Google OAuth. $2M ransom claimed by attacker.
Microsoft Windows Shell
OS / Enterprise Patched
Zero-Day Exploitation Unknown
CVE-2026-32202 confirmed exploited in the wild. Spoofing flaw allows sensitive data access via malicious file. April Patch Tuesday addressed 67 flaws including 2 zero-days.
By the Numbers
5M+
KICS Docker pulls exposed
Docker Hub / Socket Research
93min
Bitwarden CLI window live
Bitwarden / The Hacker News
35
Days between Checkmarx breaches
The Register, April 2026
51
Malicious GitHub repos created
Socket / Hacker News
Threat Actor Spotlight
TeamPCP
Active supply chain threat group operating since early 2026. Primary vector: compromising trusted open-source security and developer tools. Uses CanisterWorm to move laterally between targets via stolen GitHub tokens. Has now hit Trivy, Checkmarx, LiteLLM, Telnyx, and Bitwarden CLI. Exfiltrates credentials to infrastructure impersonating legitimate vendors. Campaign ongoing and expanding.
CISA Leadership
Still no Senate-confirmed director. Agency operating under political pressure and workforce cuts. A vacuum at the top of federal cyber defense.
Nation-State Watch
Iran-affiliated actors carried over from March. Multi-agency alert for US critical infrastructure sectors. FBI's Operation Winter Shield active against utility ransomware.
AI Threat Window
Zscaler ThreatLabz: AI has collapsed the human response window. Remote access is now the fastest path to breach. Defenders are being outpaced.
Patch Priority
CISA added 4 KEV entries: SimpleHelp (CVSS 9.9), Samsung MagicINFO, D-Link DIR-823X. April Patch Tuesday addressed 67 flaws including 2 zero-days.
Also in Today's Report
Supply Chain Bitwarden

Your Password Manager CLI Was a Malware Delivery Vehicle for 93 Minutes

Bitwarden confirmed that @bitwarden/cli@2026.4.0 was compromised via the Checkmarx supply chain attack. The malicious package was live on npm for 93 minutes on April 22. The malware harvested GitHub tokens, npm tokens, SSH keys, and .env files, then used stolen tokens to inject malicious Actions workflows into any CI/CD pipeline it could reach.

→ CISO Note: 93 minutes is a short window. But if a developer on your team ran that npm install during that window, every GitHub token and cloud secret on that machine should be rotated now. Do not wait for confirmation. Assume compromise and work backwards.
OAUTH ABUSE Vercel

A Browser Extension Your Developer Installed Handed an Attacker the Keys to Vercel

Vercel confirmed that initial access came via an employee who installed the Context.ai browser extension and signed into it using their enterprise Google account. The extension embedded a hidden OAuth grant giving read access to Google Drive. The attacker used that access to burrow into Vercel's internal systems. Mandiant is now engaged. A ransom demand of $2 million was reported.

→ CISO Note: A browser extension with enterprise Google OAuth access is a full credential handoff. Your developers install extensions casually. You need a policy. Approved extensions only, reviewed quarterly, with OAuth scope restrictions enforced at the Workspace admin level.
ZERO-DAY Microsoft

Windows Shell Zero-Day Confirmed Exploited in the Wild. Patch Tuesday Was Not Fast Enough

Microsoft revised its Patch Tuesday advisory to confirm that CVE-2026-32202, a Windows Shell spoofing vulnerability, has been actively exploited in the wild. The flaw allows an attacker who gets a victim to open a malicious file to access sensitive information across the network. It was patched this month but active exploitation confirms attackers moved faster than update cycles.

→ CISO Note: CVE-2026-32202 requires a user to open a malicious file. That means phishing is the delivery vector. Active exploitation alongside the Checkmarx supply chain campaign means attackers are running multiple vectors simultaneously this week. Defense in depth, not single-control reliance.
When a Tool in Your CI/CD Pipeline Is the Attacker: Your First 48 Response
01
Hours 0–4
Triage the Disclosure
Identify every developer who ran KICS, Bitwarden CLI, or any Checkmarx tooling between April 22-25. Map which machines pulled affected images. This is your blast radius. Document it before anything else.
02
Hours 4–12
Map Your Exposure
Rotate every GitHub token, npm token, SSH key, cloud credential, and .env secret from any affected machine. Do not triage. Rotate everything. The attacker already has what they need. Your job is to make it worthless.
03
Hours 12–24
Notify and Contain
Audit every GitHub repository the affected tokens had write access to. Check Actions workflow files for any injections. Review npm package publish history. If the token touched a public package, that package may also be compromised.
04
Hours 24–48
Assess & Report
Determine notification scope: customers, partners, and downstream package consumers. Legal reviews. If your organization published any software that used affected credentials, your users may also be at risk. Transparency now prevents liability later.
Don't Wait for Your Own Friday Filing
Download the free First 48 Hours Breach Response Playbook. Built for CISOs, not consultants.
FIRST 48 CISO
The Pearltech Group  |  Miami, FL
Intelligence sourced from SEC filings, BleepingComputer, SecurityWeek, Infosecurity Magazine,
CyberNews, The Register, TechCrunch, The Hacker News  |  April 28, 2026
First 48 CISO is an intelligence briefing. Not legal advice. All breach details are public disclosures.
© 2026 The Pearltech Group. All rights reserved.