Two more GitHub Actions workflows, maintained by supply chain security firm Checkmarx, have been compromised by credential-stealing malware attributed to a threat actor known as TeamPCP. This operation is also linked to the recent Trivy supply chain attack, underscoring a persistent threat to software development pipelines. The compromised workflows represent a significant escalation in the group’s efforts to harvest sensitive information from the cloud-native ecosystem.
Cloud security firm Sysdig reported observing an identical credential-stealing mechanism, previously identified in TeamPCP’s targeting of Aqua Security’s Trivy vulnerability scanner. This new compromise occurred approximately four days after the initial Trivy breach, which is being tracked under CVE identifier CVE-2026-33634. Sysdig indicated that the stolen credentials from the Trivy incident were likely leveraged to poison additional actions in affected repositories, suggesting a deliberate and expanding attack vector.
TeamPCP’s Expanding Reach in Supply Chain Attacks
The credential stealer, dubbed “TeamPCP Cloud Stealer,” is designed to extract a wide range of sensitive data. This includes SSH keys, Git credentials, Amazon Web Services (AWS), Google Cloud, and Microsoft Azure secrets, Kubernetes and Docker configurations, sensitive information within .env files, database credentials, and VPN access details. Additionally, it targets CI/CD configurations, cryptocurrency wallet data, and Slack and Discord webhook URLs, demonstrating a comprehensive approach to data exfiltration.
As observed in the Trivy incident, the threat actors are force-pushing malicious commits containing the stealer payload, typically named “setup.sh.” The stolen data is then exfiltrated, encrypted as a “tpcp.tar.gz” archive, to the domain “checkmarx[.]zone” via IP address 83.142.209[.]11 on port 443. This consistent method of operation across multiple incidents points to a sophisticated and organized criminal enterprise.
A notable new tactic observed in this latest version of the attack is the creation of a “docs-tpcp” repository. This repository is used to stage the stolen data as a fallback exfiltration method if the primary server communication fails. The use of a victim’s GITHUB_TOKEN facilitates this staging, mirroring the “tpcp-docs” repository used in the earlier Trivy compromise, but with a slightly altered name for the new targets.
Sysdig highlighted that the threat actors are employing vendor-specific typosquatting domains as a deliberate deception technique. This strategy aims to mask malicious outbound traffic by making it appear as legitimate communication tied to the affected vendor’s domain. Consequently, security analysts reviewing CI/CD logs might overlook these suspicious connections, reducing the chances of manual detection.
The primary function of the stealer is to harvest credentials from the memory of CI runners. This allows attackers to extract critical secrets, such as GitHub Personal Access Tokens (PATs), which are often present when a compromised action, like a malicious Checkmarx action, executes within a workflow. The implications are severe: if these tokens possess write access to other repositories that also utilize Checkmarx actions, the attackers can weaponize them to inject their malicious code into those repositories as well.
This creates a dangerous cascading effect, leading to a broader supply chain compromise. One poisoned action can capture secrets that are then used to facilitate the poisoning of other, seemingly unrelated, software components. The identical payload, encryption scheme, and the consistent naming convention of the exfiltrated archive (“tpcp.tar.gz”) unequivocally confirm that this is the same threat actor expanding their operational scope beyond the initial Trivy compromise.
According to Wiz, the initial compromise appears to have originated from the exploitation of the “cx-plugins-releases” service account. The attackers subsequently published trojanized versions of the “ast-results” (version 2.53.0) and “cx-dev-assist” (version 1.7.0) Open VSX extensions. It is important to note that the versions of these extensions available on the VS Code Marketplace have not been affected by this malicious activity.
Once these compromised extensions are activated, the malicious payload checks for the presence of credentials for major cloud service providers, including GitHub, AWS, Google Cloud, and Microsoft Azure. If such credentials are detected, the payload proceeds to fetch a subsequent stage of the attack from the same domain, “checkmarx[.]zone.”
Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read detailed that the payload attempts to execute using common JavaScript package managers such as npx, bunx, pnpx, or yarn dlx. The retrieved package contains a sophisticated credential stealer. Harvested credentials are then encrypted using keys consistent with other operations in this campaign and exfiltrated to “checkmarx[.]zone/vsx” in the familiar “tpcp.tar.gz” format.
On non-CI systems, the malware employs a systemd user service to establish persistence. This persistence script periodically polls “checkmarx[.]zone/raw” for additional payloads. A kill switch is in place, designed to abort execution if the response from this URL contains the word “youtube.” Currently, this specific URL redirects to Queen’s song “The Show Must Go On,” suggesting a potential placeholder or an active kill switch mechanism.
In the days following the initial breach, TeamPCP actors also distributed malicious Docker images of Trivy containing the same stealer and tampered with dozens of internal repositories within Aqua Security’s “aquasec-com” GitHub organization. Their attacks have also targeted Kubernetes clusters with a malicious shell script. This script is designed to wipe all machines upon detecting systems configured with the Iranian time zone and locale, indicating a worrying escalation in the group’s modus operandi and potential geographical targeting.
To mitigate the immediate threats posed by TeamPCP’s supply chain attacks, users are strongly advised to take several immediate actions. These include rotating all secrets, tokens, and cloud credentials that were accessible to CI runners during the affected period. Furthermore, auditing GitHub Actions workflow runs for any references to “tpcp.tar.gz,” “scan.aquasecurity[.]org,” or “checkmarx[.]zone” in runner logs is crucial. Organizations should also search their GitHub environments for repositories named “tpcp-docs” or “docs-tpcp,” which would indicate successful fallback exfiltration. Pinning GitHub Actions to full commit SHAs instead of version tags is recommended to prevent force-push alterations, and monitoring outbound network connections from CI runners to suspicious domains is essential. Finally, restricting the Instance Metadata Service (IMDS) from CI runner containers using IMDSv2 can provide an additional layer of security.
The ongoing nature of these attacks, with threat actors continuously evolving their tactics, highlights the persistent vulnerability of software supply chains. The next expected development will likely involve the public disclosure of further compromised repositories or the identification of new attack vectors by security researchers. Organizations must remain vigilant and proactive in their security posture to defend against these sophisticated threats.