Executive Summary
In March 2026, the threat actor known as TeamPCP exploited misconfigured GitHub Actions workflows maintained by Checkmarx, specifically targeting the 'checkmarx/ast-github-action' and 'checkmarx/kics-github-action' repositories. By leveraging stolen continuous integration (CI) credentials, TeamPCP injected malicious code into these workflows, leading to unauthorized access and potential data exfiltration. This breach underscores the critical importance of securing CI/CD pipelines and the risks associated with exposed credentials in cloud-native environments.
The incident highlights a growing trend of cybercriminals targeting development infrastructure to propagate attacks. Organizations must prioritize the security of their software supply chains, implement robust access controls, and continuously monitor for unauthorized activities to mitigate such threats.
Why This Matters Now
The TeamPCP breach exemplifies the escalating threat to development infrastructures, emphasizing the urgent need for organizations to secure their CI/CD pipelines and protect against credential theft to prevent similar supply chain attacks.
Attack Path Analysis
TeamPCP initiated the attack by compromising Checkmarx's GitHub Actions workflows through stolen CI credentials, leading to unauthorized access. They escalated privileges by leveraging these credentials to inject malicious code into the workflows. Subsequently, the attackers moved laterally within the CI/CD environment, accessing additional repositories and services. They established command and control by exfiltrating stolen credentials and secrets to external servers. The exfiltrated data included sensitive information such as SSH keys and cloud service credentials. The impact was a cascading supply chain compromise, affecting multiple repositories and potentially leading to further unauthorized access.
Kill Chain Progression
Initial Compromise
Description
TeamPCP gained unauthorized access to Checkmarx's GitHub Actions workflows by using stolen CI credentials.
Related CVEs
CVE-2026-33634
CVSS 9.4A vulnerability in Aqua Security's Trivy GitHub Actions allows unauthorized access to sensitive credentials, leading to potential supply chain attacks.
Affected Products:
Aqua Security Trivy GitHub Actions – Affected versions prior to fix
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Unsecured Credentials: Credentials in Files
Use Alternate Authentication Material: Pass the Hash
Application Layer Protocol: Web Protocols
Supply Chain Compromise: Compromise Software Supply Chain
Command and Scripting Interpreter: Windows Command Shell
Impair Defenses: Disable or Modify Tools
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure the integrity of software and scripts
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
GitHub Actions credential theft compromising CI/CD workflows creates critical supply-chain vulnerabilities requiring enhanced egress security and zero trust segmentation for development infrastructure.
Computer/Network Security
Checkmarx workflow compromise demonstrates direct threats to security tooling providers, necessitating multicloud visibility and threat detection capabilities to protect security infrastructure integrity.
Financial Services
Supply-chain attacks targeting development workflows pose compliance risks under PCI requirements, demanding encrypted traffic controls and kubernetes security for payment processing applications.
Health Care / Life Sciences
Compromised security scanning tools threaten HIPAA compliance in healthcare development pipelines, requiring inline IPS protection and secure hybrid connectivity for patient data systems.
Sources
- TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentialshttps://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.htmlVerified
- Find and Fix CVE-2025-30066, Compromised GitHub Actions Leading to Credential Leakshttps://checkmarx.com/zero-post/compromised-github-actions-leading-to-credential-leaks/Verified
- Checkmarx One GitHub Actionshttps://docs.checkmarx.com/en/34965-68702-checkmarx-one-github-actions.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF could have significantly constrained the attacker's ability to move laterally and exfiltrate sensitive data within the CI/CD environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit compromised credentials to access critical workflows may have been limited.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by injecting malicious code into workflows could have been constrained.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally to additional repositories and services may have been restricted.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels to external servers could have been constrained.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data to external domains may have been restricted.
The overall impact of the supply chain compromise could have been reduced.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive credentials and secrets, including SSH keys, cloud service provider credentials, and CI/CD configurations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access controls within the CI/CD environment.
- • Enhance East-West Traffic Security to monitor and restrict lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to control and monitor outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into cloud environments and detect anomalous activities.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious behaviors promptly.
