CP
cyberpings
Threat IntelHIGH

TeamPCP - Supply Chain Attack Targets Trivy and Checkmarx

AWArctic Wolf Blog
TeamPCPTrivyCheckmarxLiteLLMCI/CD
🎯

Basically, a group called TeamPCP hacked into security tools to steal sensitive information.

Quick Summary

TeamPCP has launched a supply chain attack targeting Trivy and Checkmarx. This breach could impact over 1,000 SaaS environments. Immediate action is needed to secure affected systems.

The Threat

The threat actor known as TeamPCP has launched a coordinated attack targeting security tools and open-source developer infrastructure. This campaign is particularly concerning as it leverages stolen CI/CD secrets and signing credentials, such as GitHub Actions tokens and release signing keys. The initial reports indicate that repositories for Trivy, Checkmarx, and LiteLLM have been compromised, with potential downstream impacts affecting over 1,000 enterprise SaaS environments.

Who's Behind It

On March 20, 2026, Aqua Security announced that its open-source vulnerability scanner, Trivy, was compromised due to a misconfigured GitHub Actions workflow. TeamPCP exploited this vulnerability by stealing CI/CD secrets, deleting trusted tags, and force-pushing malicious binaries, starting with Trivy version v0.69.4. This version included malicious artifacts capable of harvesting sensitive data such as environment variables, cloud tokens, and SSH keys from build environments. The incident has been assigned the CVE identifier CVE-2026-33634.

Tactics & Techniques

Following the initial compromise of Trivy, TeamPCP extended their attack to Checkmarx by leveraging the stolen CI/CD secrets. They compromised Checkmarx’s GitHub Actions for two repositories: ast-github-action and kics-github-action. By modifying these workflows, the threat actor was able to execute malicious code during continuous integration (CI) runs, which allowed them to collect sensitive data like repository secrets and environment variables. The attack highlights the risks associated with misconfigured CI/CD pipelines and the potential for widespread exploitation.

Defensive Measures

In response to these incidents, Aqua Security and GitHub took immediate action by revoking the compromised credentials, removing malicious releases, and rebuilding affected pipelines. Organizations using Trivy or Checkmarx should ensure they have implemented robust security measures, including:

  • Regularly auditing and configuring CI/CD workflows to prevent unauthorized access.
  • Monitoring for any suspicious activity within their repositories.
  • Educating developers about the risks associated with CI/CD secrets and the importance of securing them.

As the situation develops, it is crucial for organizations to remain vigilant and proactive in their cybersecurity practices to mitigate the risks posed by such supply chain attacks.

🔒 Pro insight: Analysis pending for this article.

Original article from

Arctic Wolf Blog · Andres Ramos

Read Full Article

Share

Related Pings

HIGHThreat Intel

macOS Threats - Closing Security Gaps in 2026

In 2026, macOS devices pose a significant security risk for businesses. High-access employees are prime targets for credential theft. Proactive detection strategies are crucial to safeguard sensitive information from compromise.

Cyber Security News·
HIGHThreat Intel

Supply Chain Attack - Compromises Widely-Used AI Package

A supply chain attack on the LiteLLM AI package poses risks to thousands of companies. Malicious code could lead to significant data theft and further breaches. Organizations must act quickly to secure their environments.

The Record·
HIGHThreat Intel

Threat Intel - Russia Arrests Alleged LeakBase Administrator

Russian police arrested the alleged admin of LeakBase, a major cybercrime forum. This forum was a hub for hackers sharing tools and stolen data. The arrest is part of a wider international crackdown on cybercrime.

TechCrunch Security·
MEDIUMThreat Intel

Threat Intel - Risks of Public Cyber Attribution Explained

Publicly blaming an entity for a cyberattack can lead to serious repercussions. Organizations need to think carefully before making such accusations. The risks involved can affect relationships and reputations.

Dark Reading·
HIGHThreat Intel

Threat Intel - Hackers Exploit Compromised Enterprise Identities

Cyber attackers are exploiting enterprise identities at an alarming rate, posing a serious threat to organizations. With tactics like impersonation and MFA bypass, the risk of data theft is high. Companies must adapt their security measures to protect against these evolving threats.

Infosecurity Magazine·
HIGHThreat Intel

AI Threats - Identity Theft Amplified by Speed and Scale

AI is revolutionizing cyberattacks, making identity theft a pressing issue. Organizations must understand these changes to protect their critical assets. The threat landscape is evolving, and so must our defenses.

SecurityWeek·