Supply Chain Threat Actor TeamPCP Targets Checkmarx KICS Code Scanner and Related Open‑Source Tools
What Happened — A previously unidentified threat group, dubbed TeamPCP, has been observed compromising the supply chain of several development‑tool ecosystems. The campaign includes malicious versions of Checkmarx’s KICS IaC scanner, the Trivy container scanner, VS Code plug‑ins, and the LiteLLM AI library.
Why It Matters for TPRM —
- Compromised scanning tools can inject malicious code into downstream applications, expanding the attack surface of any organization that relies on them.
- Supply‑chain compromises are difficult to detect and can undermine confidence in third‑party security assurances.
- Vendors may lack robust code‑signing or integrity‑verification processes, exposing clients to hidden threats.
Who Is Affected — Software development firms, DevSecOps service providers, fintech, healthcare SaaS, and any organization that integrates KICS or the other affected tools into their CI/CD pipelines.
Recommended Actions —
- Verify the integrity of all scanning tools (hash checks, code‑signing verification).
- Temporarily suspend automatic updates from untrusted sources until provenance is confirmed.
- Engage the vendor for a detailed incident response plan and request evidence of supply‑chain hardening.
- Incorporate additional SCA/SBOM checks to detect tampered binaries.
Technical Notes — The attacks appear to leverage third‑party dependency compromise, distributing malicious binaries via compromised GitHub releases and package managers. No specific CVEs were disclosed. Affected data includes potentially injected malicious code snippets rather than direct exfiltration of customer data. Source: Dark Reading