TeamPCP executed a Wave 3 multi-vector supply chain attack against Checkmarx’s distribution infrastructure in April 2026, compromising Docker Hub images, the Checkmarx AST GitHub Action, two VS Code extensions, and deploying a spoofed npm package impersonating Bitwarden CLI. No CVE has been assigned; this will not surface in standard vulnerability scanners. Any organization that pulled Checkmarx KICS Docker images, ran the Checkmarx AST GitHub Action, or installed the affected VS Code extensions after April 1, 2026 should treat their CI/CD pipeline secrets and cloud credentials as compromised pending investigation.