TeamPCP Hijacks Checkmarx KICS Using Stolen Trivy Tokens

The threat actor behind the Trivy and LiteLLM supply chain attacks has hit another target. On March 23, TeamPCP compromised Checkmarx's KICS GitHub Action, poisoning all 35 version tags with credential-harvesting malware—using tokens they'd stolen from the Trivy breach just four days earlier.

This marks the third major attack in TeamPCP's coordinated campaign against developer infrastructure, following their Trivy compromise on March 19 and their subsequent LiteLLM backdoor discovered yesterday.

A Four-Hour Attack Window

According to analysis from Wiz, the attack unfolded between 12:58 and 16:50 UTC on March 23. TeamPCP compromised the cx-plugins-releases service account—the account used to publish official Checkmarx releases—and force-pushed malicious commits to all 35 existing version tags.

The attackers modified setup.sh and action.yaml files to inject their credential stealer. Because they updated existing tags rather than creating new versions, any CI/CD pipeline pinned to version ranges like v1 or v2 would automatically pull the poisoned code.

Checkmarx took down the repository shortly after a GitHub user filed an issue reporting suspicious activity.

Credential Reuse Enabled the Attack

The attack chain demonstrates why credential rotation matters after a breach. Sysdig's threat research team traced the compromise back to tokens harvested during the March 19 Trivy incident.

When TeamPCP backdoored Trivy's CI/CD pipeline, they deployed malware that scanned runner process memory for secrets. GitHub personal access tokens extracted from Trivy's workflows gave the attackers footholds in other repositories—including Checkmarx's.

The attackers used the same RSA public key for payload encryption across both the Trivy and KICS attacks, confirming the connection between incidents.

What the Malware Steals

The KICS payload targets the same data categories as other TeamPCP tools:

• Environment variables containing API keys and tokens
• SSH private and public keys
• GitHub personal access tokens from CI runner memory
• AWS instance metadata via IMDS queries
• Kubernetes service account tokens
• Cloud provider credentials for AWS, GCP, and Azure
• Docker and database configurations

Stolen data gets encrypted using AES-256-CBC with a randomly generated session key, then wrapped with the attacker's hardcoded RSA public key. The encrypted archive ships to checkmarx[.]zone on port 443—a typosquat domain designed to blend in with legitimate Checkmarx traffic.

Kubernetes Persistence Added

Unlike the original Trivy payload, the KICS version includes a new persistence mechanism. When the malware detects a Kubernetes environment, it attempts to deploy privileged pods across cluster nodes. This mirrors the CanisterWorm behavior we covered last week, though the KICS variant focuses on credential theft rather than destruction.

The Kubernetes component queries the metadata service, extracts service account tokens, and establishes callbacks to checkmarx[.]zone/raw for follow-on payloads.

VS Code Extensions Also Compromised

TeamPCP didn't stop at GitHub Actions. Two Checkmarx VS Code extensions on OpenVSX were also poisoned:

• ast-results version 2.53.0
• cx-dev-assist version 1.7.0

These extensions were available between 2:53 and 15:41 UTC on the same day. Developers who installed or updated these extensions during that window should treat their systems as compromised.

Detection and IOCs

Sysdig and Falco rules caught both waves of the attack because detection focused on behavior rather than signatures. The critical indicator was IMDS credential access followed by data uploads from the same process tree.

Network indicators:

• checkmarx[.]zone (83.142.209.11)
• checkmarx[.]zone/vsx (extension payload delivery)
• checkmarx[.]zone/raw (persistent callback)

File artifacts:

• tpcp.tar.gz encrypted archives
• Modified setup.sh in GitHub Action workflows
• docs-tpcp and tpcp-docs staging repositories

Organizations using the GlassWorm detection guidance we published earlier should already have coverage for TeamPCP's core stealer behavior.

Checkmarx Response

Checkmarx stated it was "not aware of any impact to customer data or production environments." The company removed the compromised GitHub Action and VS Code extensions, though the window of exposure means some CI/CD pipelines may have pulled malicious code before remediation.

Why This Matters

TeamPCP's campaign demonstrates how a single supply chain compromise cascades into multiple downstream attacks. Credentials stolen from Trivy enabled the KICS breach. Credentials stolen from KICS may already be enabling attacks we haven't discovered yet.

The group has compromised a vulnerability scanner (Trivy), a code analysis platform (Checkmarx), and the most widely used LLM proxy in Python (LiteLLM)—all in under a week. Each tool is designed to help developers write secure code, which makes them ideal targets for attackers seeking access to sensitive pipelines.

Organizations running any of these tools should assume exposure and rotate credentials regardless of whether they can confirm installation of compromised versions. The cascading nature of these attacks means your credentials may have been harvested through a dependency you don't even realize was affected.