Discovered and reported April 27, 2026, the TeamPCP attack chain began March 23 when threat actors exfiltrated CI/CD secrets from Trivy (Aqua Security's open-source vulnerability scanner). Those credentials enabled a cascading compromise spanning Trivy itself, KICS (Checkmarx infrastructure-as-code scanner), LiteLLM, Telnyx, Bitwarden CLI, Checkmarx GitHub Actions, and Open VSX plugins. The attack subsequently attracted Lapsus$ for extortion and Vect for ransomware deployment, illustrating how a single CI/CD credential leak can underpin multi-actor campaigns. The breadth of affected tooling — security scanners, secrets managers, AI inference libraries, and IDE plugin registries — means developer and security engineering teams should assume any machine that ran these tools during the compromise window may be backdoored. Recommended actions include rotating all credentials accessible from affected CI/CD environments, updating all listed tools to patched versions, auditing GitHub Actions workflow files for injected steps, and reviewing Open VSX plugin installations. Organizations using Bitwarden CLI in automated pipelines face particular urgency given the potential for secrets exfiltration.