TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

2026-03-24

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

TeamPCP, the threat actor behind the Trivy supply chain attack, has compromised two Checkmarx GitHub Actions workflows using credentials stolen from the earlier breach.

•The affected workflows are checkmarx/ast-github-action and checkmarx/kics-github-action, both maintained by supply chain security company Checkmarx.
•The "TeamPCP Cloud stealer" targets SSH keys, Git, AWS, Google Cloud, Azure, Kubernetes, Docker, .env files, databases, VPNs, CI/CD configs, crypto wallets, and Slack/Discord webhooks.
•Attackers force-push tags to malicious commits containing a payload (setup.sh) that exfiltrates encrypted data to checkmarx[.]zone using typosquat domains to evade detection in CI/CD logs.
•A fallback mechanism creates a "docs-tpcp" repository using the victim's GITHUB_TOKEN to stage stolen data if the primary exfiltration fails.

TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture