Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions
Essential information
- Published
- 24/03/2026 09:49
- Modified
- 27/03/2026 00:06
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- ci/cd compromise supply chain attack teampcp cloud stealer
- Tags
- 2026-03-24 ci/cd compromise supply chain attack teampcp cloud stealer
- Related entities
- 3 indicators, 3 observables, 1 intrusion sets (apt), 4 techniques (mitre), 1 malware, 3 others
Description
A threat actor known as TeamPCP expanded its supply chain attack from Aqua Security's Trivy to Checkmarx's AST GitHub Action. The attack, which began on March 19, 2026, involved injecting a credential-stealing payload into CI/CD pipelines across thousands of repositories. The malicious code harvested secrets from runner memory, queried cloud metadata, and exfiltrated encrypted data to typosquat domains. The Checkmarx compromise occurred approximately four days after the initial Trivy incident, using identical techniques but targeting a different action. This cascading effect demonstrates how compromised actions can be used to harvest credentials and compromise additional dependencies. Runtime detection proved effective in identifying the attack pattern across both waves, as the underlying behavior remained consistent despite changes in the delivery mechanism.