First 48 CISO: Daily Breach Report

The Pearltech Group | Cybersecurity Intelligence

FIRST

48

CISO

EDITION

Daily Breach Report

DATE

April 28, 2026

THREAT LEVEL

■ ELEVATED

INCIDENTS TODAY

4 Active Incidents

Live Intel | Incident Response Intelligence

Tuesday, April 28, 2026 | Vol. 1, No. 2 | First48CISO.com | @pearltechgroup | Dianne Powers

BREAKING Supply Chain

Checkmarx Breached Twice: The Security Tool Scanning Your Infrastructure Was Stealing It

A security scanner trusted by developers worldwide was itself compromised. Twice. In 35 days. The attacker was not just stealing credentials. The tool was generating your scan reports and sending them out the back door.

Checkmarx KICS, downloaded over 5 million times from Docker Hub, runs directly against Terraform files, Kubernetes configs, and CloudFormation templates full of credentials and API keys. On April 22, threat group TeamPCP poisoned the official Docker Hub KICS image and two VS Code extensions. The modified binary generated uncensored scan reports, encrypted them, and shipped them to an attacker-controlled server impersonating Checkmarx at audit.checkmarx[.]cx.

The attacker did not break into your environment. You invited them in. You ran their Docker image. And while it was looking for your vulnerabilities, it was documenting them for someone else.

FIRST 48 CISO TAKE

This is a developer toolchain breach. The attacker put malware inside the tool you run to find malware. Audit every Docker image, GitHub Action, and VS Code extension in your CI/CD pipeline today. If you cannot pin it to a verified pre-April-22 SHA, pull it. Rotate every credential that touched an affected environment. This campaign is still active.

TODAY'S INCIDENT LOG

Checkmarx / KICS

Dev Security Tools Investigating TeamPCP

KICS Docker image poisoned April 22. Malware exfiltrated infrastructure scan data and credentials. Second compromise in 35 days. Lapsus$ claims separate data dump.

Bitwarden CLI

Password Management Contained

Malicious @bitwarden/[email protected] live on npm for 93 minutes April 22. No vault data accessed. GitHub tokens and CI/CD secrets at risk for affected developers.

Vercel

Cloud Dev Platform Investigating

Limited customer credentials compromised. Mandiant engaged. Context.ai browser extension used as initial access vector via Google OAuth. $2M ransom claimed by attacker.

Microsoft Windows Shell

OS / Enterprise Patched

CVE-2026-32202 confirmed exploited in the wild. Spoofing flaw allows sensitive data access via malicious file. April Patch Tuesday addressed 67 flaws including 2 zero-days.

BY THE NUMBERS

5M+

KICS Docker
pulls exposed

93m

Bitwarden CLI
window live

35

Days between
Checkmarx breaches

51

Malicious GitHub
repos created

First 48 CISO | Free Resource

Don't Wait for Your Own Friday Filing

Download the free First 48 Hours Breach Response Playbook. Built for CISOs, not consultants.

GET THE PLAYBOOK →

FIRST 48 CISO

The Pearltech Group | Miami, FL

Intelligence sourced from SEC filings, BleepingComputer, SecurityWeek, The Hacker News
April 28, 2026 | Not legal advice | © 2026 The Pearltech Group

First 48 CISO: Daily Breach Report | April 28, 2026

Keep reading

The Breach Report by First 48 CISO