Hello and welcome to the Tuesday, April 28, 2026 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, Rekongn today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program

in industrial control system security. Ken Dutay wrote a quick update on the latest developments

in Team PCP style attacks, and of course, one of the big developments last week was checkmarks, and a couple of the other companies affected by this Bitwarden.

I mentioned both last week. Now for checkmarks, there is one kind of interesting new development that apparently the entire GitHub repository was leaked as part of the attack.

They don't state how severe this is, if there are any secrets in this GitHub repository or not,

but they do state that this all is really sort of just follow-on left over from an attack

that started March 23rd.

So about a month ago, they wrote back then about this attack on March 23rd,

but now they basically linked those two attacks.

And yes, that's sort of one of the big news items here.

Just in general, as far as I current state of supply chain attacks go,

they also have a new blog post by socket.dev,

and they're writing about 73 different OpenVs extensions

that they found that basically linked to Classform,

which is typical credential exfiltration.

So again, you know, more opportunities here for developers to lose their credentials.

And with that, sort of new entry points being found by attackers for additional supply chain

attacks once they hit a developer

for a major package, then of course they can start the cycle all over again.

We have some bad news for users of Citrix Xen Server, or the XAPI, which is the API that comes with XEN server.

...