After a few quieter weeks, three supply chain attacks put secrets back in the spotlight. Between April 21 and 23, 2026, three distinct attacks hit npm, PyPI, and Docker Hub simultaneously. Their targets differ and the threat actor groups might, but their objectives don't: in each case, the malware's primary goal was to steal secrets from developer environments and CI/CD pipelines . API keys, cloud credentials, SSH keys, and registry tokens were all targeted. Campaign 1 - Checkmarx KICS: Compromised Security Scanner Turns on Its Users The first attack compromised official Checkmarx KICS Docker images and VS Code extensions. Docker flagged suspicious activity on the checkmarx/kics repository on April 22 and alerted Socket. An obfuscated payload harvested GitHub authentication tokens, AWS credentials, Azure and Google Cloud tokens, npm configuration files, SSH keys, and environment variables, compressing and encrypting everything before exfiltration.…