Two more GitHub Actions workflows have become the latest to be compromised by credential-stealing malware by a threat actor known as TeamPCP, the cloud-native cybercriminal operation also behind the Trivy supply chain attack.
The workflows, both maintained by the supply chain security company Checkmarx, are listed below –
Cloud security company Sysdig said it observed an identical credential stealer as the one used in TeamPCP’s operations targeting Aqua Security’s Trivy vulnerability scanner and its associated GitHub Actions, about four days after the breach on March 19, 2026. The Try supply chain compromise is being tracked under the CVE identifier CVE-2026-33634 (CVSS score: 9.4).
“This suggests that the stolen credentials from the Trivy compromise were used to poison additional actions in affected repositories,” Sysdig said.
The stealer, referred to as “TeamPCP Cloud stealer,” is designed to steal credentials and secrets related to SSH keys, Git, Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Kubernetes, Docker, .env files, databases, and VPNs, along with CI/CD configurations, data from cryptocurrency wallets, and Slack and Discord webhook URLs.
Like in the case of Trivy, the threat actors have been found to force-push tags to malicious commits containing the stealer payload (“setup.sh”). The stolen data is exfiltrated to the domain “checkmarx[.]zone” (IP address: 83.142.209[.]11:443) in the form of an encrypted archive (“tpcp.tar.gz”).
The new version creates a “docs-tpcp” repository using the victim’s GITHUB_TOKEN to stage the stolen data as a backup method if the exfiltration to the server fails. In the Trivy incident, the threat actors used the repository name “tpcp-docs” instead.
“The use of vendor-specific typosquat domains for each poisoned action is a deliberate deception technique,” Sysdig said. “An analyst reviewing CI/CD logs would see curl traffic to what appears to be the action’s own vendor domain, reducing the likelihood of manual detection.”
The fact that the stealer’s primary function is to harvest credentials from CI runner memory allows the operators to extract GitHub personal access tokens (PATs) and other secrets from when a compromised Trivy action executes in a workflow. To make matters worse, if those tokens have write access to repositories that also use Checkmarx actions, the attacker can weaponize them to push malicious code.
This, in turn, opens the door to a cascading supply chain compromise, where one poisoned action captures secrets that are used to facilitate the poisoning of other actions.
“The identical payload, encryption scheme, and tpcp.tar.gz naming convention confirm this is the same threat actor expanding their reach beyond the initial Trivy compromise,” Sysdig noted. “Code review and dependency scanning failed here because the malicious code was injected into a trusted action at the source.”
According to Wiz, the attack appears to have been carried out via the compromise of the “cx-plugins-releases” service account, with the attackers also publishing trojanized versions of the “ast-results” (version 2.53.0) and “cx-dev-assist” (version 1.7.0) Open VSX extensions. The VS Code Marketplace versions are not affected.
Once the extension is activated, the malicious payload checks whether the victim has credentials for at least one cloud service provider, such as GitHub, AWS, Google Cloud, and Microsoft Azure. If any credentials are detected, it proceeds to fetch a next-stage payload from the same domain (“checkmarx[.]zone”).
“The payload attempts execution via npx, bunx, pnpx, or yarn dlx. This covers major JavaScript package managers,” Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read said. “The retrieved package contains a comprehensive credential stealer. Harvested credentials are then encrypted, using the keys as elsewhere in this campaign, and exfiltrated to ‘checkmarx[.]zone/vsx’ as tpcp.tar.gz.”
“On non-CI systems, the malware installs persistence via a systemd user service. The persistence script polls https://checkmarx[.]zone/raw every 50 minutes for additional payloads, with a kill switch that aborts if the response contains “youtube”. Currently, the link redirects to The Show Must Go On by Queen.”
To mitigate the threat, users are advised to perform the following actions with immediate effect –
- Rotate all secrets, tokens, and cloud credentials that were accessible to CI runners during the affected window.
- Audit GitHub Actions workflow runs for any references to tpcp.tar.gz, scan.aquasecurity[.]org, or checkmarx[.]zone in runner logs.
- Search GitHub organization for repositories named “tpcp-docs” or “docs-tpcp,” which indicate successful exfiltration via the fallback mechanism.
- Pin GitHub Actions to full commit SHAs rather than version tags, as tags can be force-pushed.
- Monitor outbound network connections from CI runners to suspicious domains.
- Restrict the Instance Metadata Service (IMDS) from CI runner containers using IMDSv2.
In the days following the initial breach, TeamPCP actors have pushed malicious Docker images of Trivy containing the same stealer and hijacked the company’s “aquasec-com” GitHub organization to tamper with dozens of internal repositories.
They have also been observed targeting Kubernetes clusters with a malicious shell script that wipes all machines when it detects systems matching the Iranian time zone and locale, highlighting a newfound escalation of the group’s modus operandi.
