KICS GitHub Action Compromised: TeamPCP Supply Chain Attack

March 27, 2026, 12:05 a.m.

Description

The KICS GitHub Action, an open-source infrastructure as code security scanner by Checkmarx, was compromised by TeamPCP, the group behind the recent Trivy attack. Between 12:58 and 16:50 UTC on March 23, 35 tags were hijacked, exposing users to credential-stealing malware. The attack involved staging imposter commits and updating tags using a compromised identity. The malware uses a new C2 domain, creates a fallback repository, and adds Kubernetes-focused persistence code. Additionally, two OpenVSX extensions were compromised. The payload targets cloud provider credentials and installs persistence on non-CI systems. Security teams are advised to audit workflows, search for exfiltration artifacts, and implement long-term hardening measures.

External References

https://www.wiz.io/blog/teampcp-attack-kics-github-action
https://otx.alienvault.com/pulse/69c2503167e63f4927ac8b37
Tags
credential theft
supply chain attack
cloud credentials
2026-03-24
infrastructure as code
kics

Date

  • Created: March 24, 2026, 8:49 a.m.
  • Published: March 24, 2026, 8:49 a.m.
  • Modified: March 27, 2026, 12:05 a.m.

Indicators

  • 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0
  • 527f795a201a6bc114394c4cfd1c74dce97381989f51a4661aafbc93a4439e90
  • 0d66d8c7e02574ff0d3443de0585af19c903d12466d88573ed82ec788655975c
  • 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d
Download all indicators here!

Attack Patterns

  • TeamPCP