CP
cyberpings
Threat IntelHIGH

Supply Chain Attack - KICS GitHub Action Compromised

WIWiz Blog
TeamPCPKICSGitHub Actionscredential-stealingsupply chain attack
🎯

Basically, a security tool on GitHub was hacked, putting users' data at risk.

Quick Summary

The KICS GitHub Action was compromised in a supply chain attack by TeamPCP. Users of the affected tags are at risk of credential theft. Immediate audits are crucial to ensure security.

What Happened

On March 23, 2026, the KICS GitHub Action, a security scanner developed by Checkmarx, fell victim to a credential-stealing malware attack orchestrated by the group known as TeamPCP. This incident occurred between 12:58 and 16:50 UTC, during which 35 tags were compromised. Users who had pinned their workflows to these tags unknowingly executed the malicious code. The repository was taken down shortly after a user reported the issue to the maintainers. However, it was reinstated later that day with the maintainers claiming the problem was resolved.

This attack marks the second time in a week that TeamPCP has targeted a widely used open-source security scanner. The group employed similar tactics to those used in the recent Trivy incident, indicating a pattern in their approach to supply chain attacks.

Who's Being Targeted

The KICS GitHub Action is an open-source tool designed for Infrastructure as Code security scanning. While it has a smaller user base compared to Trivy, its adoption in both public and private sectors makes it a significant target. Users who rely on KICS for security assessments could be at risk, particularly those who used the compromised tags in their workflows. The attack could potentially expose sensitive data and credentials from affected repositories.

Tactics & Techniques

The attack was executed through a compromised service account, specifically the cx-plugins-releases account, which was responsible for publishing the malicious tags. TeamPCP staged imposter commits on a fork of the KICS repository, embedding their payload. They then updated the tags to point to these malicious commits. The malware introduced several new features, including a new command-and-control (C2) domain and a fallback mechanism that creates a repository named docs-tpcp using the victim's GITHUB_TOKENs. This allows the attackers to maintain persistence even if their primary C2 is disrupted.

Defensive Measures

To mitigate the risks associated with this incident, security teams should take immediate action. First, they should audit their GitHub Actions workflows that reference the kics-github-action. If any versions of the action were used during the exposure window, teams should check their workflow run logs for signs of compromise. Additionally, organizations should search for any repositories named docs-tpcp, as these may indicate successful exfiltration of data. For ongoing guidance, users are encouraged to monitor advisories from security firms like Wiz and implement best practices for securing GitHub Actions.

🔒 Pro insight: This incident underscores the persistent threat of supply chain attacks, highlighting the need for robust auditing and monitoring of open-source dependencies.

Original article from

Wiz Blog

Read Full Article

Share

Related Pings

HIGHThreat Intel

Threat Intel - AI Framework and Rising Phishing Risks

The White House has unveiled its AI legislative framework amid rising phishing threats. Iranian and Russian hackers are targeting messaging apps like Signal and Telegram. This situation raises urgent cybersecurity concerns for users and organizations alike.

CyberWire Daily·
HIGHThreat Intel

Threat Intel - FBI Warns of Russian and Iranian Cyber Campaigns

The FBI has issued warnings about Russian and Iranian cyber campaigns targeting messaging platforms. Thousands of accounts have been compromised, raising serious security concerns. Users are urged to enhance their cybersecurity practices to protect against these threats.

The Record·
HIGHThreat Intel

Phishing Threats - Insights from KnowBe4's Erich Kron

Phishing attacks are on the rise, evolving with automation and targeting collaboration tools. KnowBe4's Erich Kron sheds light on these modern threats and their implications for organizations. Understanding these risks is crucial for protecting sensitive data.

SC Media·
HIGHThreat Intel

Threat Intel - Mysterious Numbers Station Emerges Amid War

The Threat A mysterious numbers station has emerged, broadcasting a series of numbers in Persian, coinciding with the recent US and Israeli military strikes on Iran. This unusual transmission began on February 28, 2026, and has been identified as originating from a US military base in Germany. The broadcasts occur twice daily, featuring a rhythmic narration of numbers, which

Wired Security·
HIGHThreat Intel

Threat Intel - Trivy Supply-Chain Attack Expands to Docker

Aqua Security faces a severe supply-chain attack from TeamPCP, compromising Docker and GitHub repositories. This breach threatens software integrity and user security. Aqua is working on remediation and updates.

BleepingComputer·
HIGHThreat Intel

Threat Intel - Routers Now Top Cyber Risk Vector Revealed

Forescout's latest report reveals routers have become the top cyber risk for enterprises, overtaking PCs. This shift poses a significant threat as organizations struggle to secure their network infrastructure. With many devices lacking proper monitoring, the risk of exploitation is rising. Companies must adapt their security strategies to address this evolving landscape.

IT Security Guru·