TeamPCP Compromises Checkmarx GitHub Actions Using Stolen CI Credentials
What Happened – The cyber‑criminal group TeamPCP infiltrated two official Checkmarx GitHub‑Actions workflows ( checkmarx/ast-github-action and checkmarx/kics-github-action ) by leveraging stolen CI/CD credentials. The compromised actions could be used to inject malicious code into downstream projects that rely on these actions for static analysis and policy‑as‑code checks.
Why It Matters for TPRM –
- Supply‑chain tooling is a high‑value attack surface; a breach can cascade to every organization that consumes the compromised actions.
- Stolen CI credentials give attackers read/write access to source repositories, potentially exposing proprietary code and secrets.
- The incident highlights the need for continuous monitoring of third‑party CI/CD components and credential hygiene.
Who Is Affected – SaaS security vendors, development teams using Checkmarx actions, and any downstream customers in technology, finance, healthcare, and other sectors that integrate these actions into their pipelines.
Recommended Actions –
- Audit all GitHub‑Actions workflows that reference Checkmarx actions; replace with verified versions or alternative tools.
- Rotate all CI/CD service‑account credentials and enforce MFA for all CI users.
- Implement secret‑scanning and runtime integrity checks on CI pipelines.
- Review third‑party risk contracts for supply‑chain security clauses and ensure vendors follow secure CI/CD practices.
Technical Notes – Attack vector: stolen CI credentials (likely obtained via phishing or credential dumping). No public CVE associated. Data potentially exposed: CI service‑account tokens, source‑code snapshots, and any secrets embedded in the pipelines. Source: The Hacker News