The cybercriminal group known as TeamPCP has expanded its supply chain attack campaign beyond the initial compromise of Aqua Security’s Trivy vulnerability scanner, using credentials stolen in that breach to poison two GitHub Actions workflows maintained by Checkmarx, one of the industry’s most prominent supply chain security companies.
Cloud security firm Sysdig confirmed that the same credential-stealing malware used in the Trivy attack was found in the compromised Checkmarx actions, “checkmarx/ast-github-action” and “checkmarx/kics-github-action,” approximately four days after the original Trivy breach on March 19. The Trivy compromise is tracked as CVE-2026-33634 with a CVSS score of 9.4.
The attack method is identical to the Trivy operation. The attackers force-push tags to malicious commits containing a shell script payload that harvests credentials and secrets from the CI runner environment. The stealer, called “TeamPCP Cloud stealer,” targets SSH keys, Git credentials, AWS, Google Cloud, Microsoft Azure, Kubernetes, Docker, .env files, database credentials, VPN configurations, CI/CD secrets, cryptocurrency wallet data, and Slack and Discord webhook URLs.
The stolen data is encrypted and exfiltrated to “checkmarx[.]zone,” a typosquat domain designed to look like it belongs to Checkmarx itself. Sysdig noted that this deliberate deception means an analyst reviewing CI/CD logs would see network traffic to what appears to be the action’s own vendor domain, significantly reducing the chance of manual detection.
The attack creates a cascading chain. The stealer’s primary function is harvesting credentials from CI runner memory, which allows the operators to extract GitHub personal access tokens and other secrets while a compromised action executes in a workflow.
If those tokens have write access to repositories that also use other actions, the attackers can weaponize them to push malicious code into additional tools, exactly what happened when credentials from the Trivy compromise were used to breach the Checkmarx actions.
A new version of the malware also creates a backup exfiltration channel. If the primary server connection fails, it uses the victim’s own GitHub token to create a repository called “docs-tpcp” and stages the stolen data there.
The attack has spread beyond GitHub Actions. Security firm Wiz discovered that the attackers also published trojanized versions of two Checkmarx VS Code extensions, “ast-results” (version 2.53.0) and “cx-dev-assist” (version 1.7.0), on the Open VSX marketplace. The VS Code Marketplace versions are not affected. The malicious extensions check whether the victim has cloud service credentials, fetch a next-stage payload, and install persistence on non-CI systems through a systemd service that polls the attacker’s server every 50 minutes for additional payloads.
In a darkly theatrical detail, the malware includes a kill switch that aborts if the server response contains the word “youtube.” The kill switch URL currently redirects to Queen’s “The Show Must Go On.”
TeamPCP has also been observed targeting Kubernetes clusters with a shell script that wipes machines when it detects systems running in the Iranian time zone and locale, signaling an escalation beyond credential theft into destructive operations.
Security teams are advised to immediately rotate all secrets, tokens, and cloud credentials accessible to CI runners during the affected window, audit workflow logs for references to “tpcp.tar.gz” or the compromised domains, search their GitHub organizations for repositories named “tpcp-docs” or “docs-tpcp,” and pin all GitHub Actions to full commit SHAs rather than version tags.
