HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Compromised Checkmarx Security Scanner Fuels Wide‑Scale Supply‑Chain Attack, CISA Adds Threat to KEV List

A threat‑actor hijacked the Checkmarx SAST platform to inject malicious code into downstream software builds, culminating in the compromise of the LiteLLM PyPI package. CISA has added the associated binaries to its KEV catalog, prompting urgent remediation for organizations that rely on affected tooling.

🛡️ LiveThreat™ Intelligence · 📅 March 27, 2026· 📰 isc.sans.edu
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
isc.sans.edu

Compromised Checkmarx Security Scanner Fuels Wide‑Scale Supply‑Chain Attack, CISA Adds Threat to KEV List

What Happened – A threat‑actor compromised the Checkmarx static‑application‑security‑testing (SAST) platform and used it to inject malicious code into downstream software builds. The campaign, dubbed TeamPCP, progressed from initial access on 28 Feb 2026 to the compromise of the LiteLLM package on PyPI on 24 Mar 2026, expanding the attack surface far beyond the original report. CISA has now listed the associated malicious binaries in its Known Exploited Vulnerabilities (KEV) catalog and released detection signatures.

Why It Matters for TPRM

  • Supply‑chain compromises bypass traditional perimeter controls, exposing all downstream customers to hidden malware.
  • The use of a trusted security scanner as a weapon erodes confidence in third‑party tooling and can lead to widespread data exfiltration or ransomware deployment.
  • CISA’s KEV entry signals heightened government scrutiny and may trigger contractual compliance obligations for affected vendors.

Who Is Affected – Software development firms, SaaS providers, fintech platforms, and any organization that integrates third‑party Python packages or relies on Checkmarx for code analysis.

Recommended Actions

  • Inventory all assets that consumed Checkmarx scan results or incorporated code from affected builds.
  • Conduct an immediate code‑review and re‑scan of binaries produced during the affected window (28 Feb – 24 Mar 2026).
  • Apply CISA‑provided detection rules and monitor for Indicators of Compromise (IOCs) linked to the TeamPCP campaign.
  • Re‑evaluate third‑party risk assessments for security‑tool vendors and enforce stricter supply‑chain hygiene (signed artifacts, reproducible builds).

Technical Notes – The adversary leveraged a compromised Checkmarx SAST service to embed a malicious payload into compiled artifacts, which later propagated through the PyPI repository via the LiteLLM package. No public CVE has been assigned; the attack vector is a third‑party dependency compromise. Affected data includes source code, build artifacts, and potentially embedded credentials. Source: SANS Internet Storm Center

📰 Original Source
https://isc.sans.edu/diary/rss/32834

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →