Threat actor TeamPCP executed a coordinated supply chain attack against the Checkmarx KICS open-source IaC scanning toolchain on April 22, 2026, simultaneously compromising the official Docker Hub image, VS Code Marketplace extension, and Open VSX extension during a 90-minute window to steal cloud credentials and CI/CD secrets from developer pipelines. Any organization that consumed KICS artifacts during that exposure window faces confirmed credential compromise risk across AWS, GCP, Azure, GitHub, and SSH key stores. No CVE is assigned; this is a campaign-driven supply chain event confirmed by Checkmarx.