Two GitHub Actions workflows maintained by Checkmarx have been compromised by a credential-stealing malware campaign orchestrated by the threat actor TeamPCP. This attack follows a similar breach of the Trivy vulnerability scanner and utilizes sophisticated exfiltration methods, including the use of typosquatted domains, to harvest a wide array of cloud and development secrets.
A recent wave of supply chain attacks has targeted GitHub Actions maintained by Checkmarx, specifically the ast-github-action and kics-github-action repositories. Cybersecurity researchers at Sysdig identified that these workflows were infected with a specialized credential stealer identical to one used against Aqua Security's Trivy scanner earlier in March 2026. This ongoing campaign suggests that attackers are using credentials stolen from previous compromises to pivot into new environments, effectively weaponizing the trust inherent in popular security tools to broaden their reach.
The malware, dubbed the TeamPCP Cloud stealer, is a comprehensive data harvesting tool designed to target highly sensitive developer environments. It scans for a broad spectrum of secrets including SSH keys, AWS and Azure credentials, Kubernetes configurations, and Docker data. Beyond infrastructure secrets, the payload also targets cryptocurrency wallets and communication webhooks for Slack and Discord. The versatility of this stealer allows the threat actors to maintain long-term access to cloud environments and private repositories long after the initial workflow execution has finished.
To deploy the malware, the attackers utilize a technique involving force-pushing tags to malicious commits that contain a setup script. Once active, the script gathers data and compresses it into an encrypted archive for exfiltration. In the Checkmarx incident, the stolen data was sent to a domain designed to mimic the victim’s own infrastructure, a tactic known as typosquatting. Specifically, the attackers used a domain that an analyst might easily mistake for a legitimate Checkmarx service, thereby reducing the chances that the malicious outbound traffic would be flagged during a routine log review.
In a further display of technical evolution, the latest version of the malware includes a secondary exfiltration method to ensure data persistence. If the primary server connection fails, the stealer uses the victim’s own GitHub token to create a new repository within the compromised account to stage the stolen data. This repository, often named with a variation of the term tpcp, serves as a backup drop point. This approach not only ensures the attackers receive the data but also leverages the legitimate GitHub API to hide malicious activity within standard platform traffic.
The primary goal of these operations is to harvest credentials from CI/CD runner memory, which frequently contains high-privilege personal access tokens and environment variables. If these tokens possess write permissions for other repositories within an organization, the attackers can move laterally to poison additional software components. This chain of compromise highlights a significant vulnerability in automated development pipelines where the security of one third-party action can dictate the integrity of an entire cloud-native ecosystem.
Source: https://www.sysdig.com/blog/teampcp-expands-supply-chain-compromise-spreads-from-trivy-to-checkmarx-github-actions