One Stolen Token, Two More Victims: How TeamPCP Is Turning CI Pipelines Into Attack Chains
A threat actor group known as TeamPCP has compromised two GitHub Actions workflows maintained by Checkmarx, the supply chain security company, using credentials stolen during an earlier attack on Aqua Security’s Trivy vulnerability scanner. The incident, disclosed March 24, 2026, confirms that a single compromised pipeline can quietly poison others across the entire software delivery chain.
What Happened?
Four days after breaching Trivy’s GitHub Actions on March 19, 2026, TeamPCP used the tokens harvested from that first attack to tamper with two Checkmarx workflows: checkmarx/ast-github-action and checkmarx/kics-github-action. The Trivy compromise carries CVE identifier CVE-2026-33634 with a CVSS score of 9.4.
The group force-pushed tags to malicious commits containing a shell script called setup.sh, a credential-harvesting payload that pulls SSH keys, AWS, Google Cloud, Azure, Kubernetes, Docker credentials, CI/CD configurations, cryptocurrency wallet data, and Slack and Discord webhook URLs. Stolen data gets packaged into an encrypted archive called tpcp.tar.gz and sent to the domain checkmarx[.]zone, a typosquatted domain crafted to look like Checkmarx’s own infrastructure.
If the primary exfiltration fails, the malware creates a backup repository using the victim’s GitHub token. The same group also trojanized two Open VSX extensions, ast-results version 2.53.0 and cx-dev-assist version 1.7.0. On non-CI systems, the malware installs a persistent background service that checks for new payloads every 50 minutes.
What’s the Impact?
The damage here goes beyond one compromised vendor. When a CI runner executes a poisoned action, the malware skims every secret in memory, including GitHub personal access tokens. If those tokens have write access to other repositories using different actions, the attacker can push malicious code there too. It’s a domino effect built into how CI/CD pipelines share credentials by default.
The researchers traced the initial breach to a compromised cx-plugins-releases service account. Sysdig, which tracked the expanded campaign, noted that the use of vendor-specific lookalike domains is deliberate: security analysts reviewing logs see what appears to be routine traffic to a known vendor’s domain. Nothing looks wrong until you dig deeper.
TeamPCP has since escalated further, pushing malicious Docker images of Trivy and hijacking Aqua Security’s aquasec-com GitHub organization. They’ve also been observed deploying a shell script that wipes Kubernetes machines in environments matching Iranian time zones, a significant escalation in destructive capability.
How to Avoid This
If your pipelines used either Checkmarx action during the affected window, rotate all secrets and cloud credentials immediately. Audit your GitHub Actions workflow logs for any references to tpcp.tar.gz, scan.aquasecurity[.]zone, or checkmarx[.]zone. Check whether repositories named tpcp-docs or docs-tpcp exist in your GitHub organization, as their presence confirms data was successfully exfiltrated.
Going forward, pin GitHub Actions to full commit SHAs rather than version tags. Tags can be force-pushed and are not a reliable anchor. Restrict access to the Instance Metadata Service from CI runner containers and monitor outbound network traffic for unexpected domain connections.
The broader lesson here is structural. Code review and dependency scanning both failed in this incident because the malicious code was injected at the source of a trusted action. That’s the exploit. Trusting a vendor’s name without verifying the integrity of a specific commit is, right now, a gap most teams haven’t closed.
