Full Report
Checkmarx KICS scanner is the latest victim of a credential-stealing supply chain attack by TeamPCP. Between 12:58–16:50 UTC on March 23, 35 tags were hijacked. Learn how to audit your workflows, identify malicious activity, and secure your GitHub Actions.
Analysis Summary
# Incident Report: TeamPCP Supply Chain Attack on Checkmarx KICS
## Executive Summary
Between 12:58 and 16:50 UTC on March 23, 2026, the Checkmarx KICS (Infrastructure as Code) GitHub Action was compromised in a supply chain attack by the threat actor TeamPCP. The attackers used a compromised service account to hijack 35 version tags, redirecting users to a malicious payload designed to steal credentials and establish persistence in Kubernetes environments. The incident was mitigated after a user reported the anomaly, leading to the repository being taken down.
## Incident Details
- **Discovery Date:** March 23, 2026
- **Incident Date:** March 23, 2026
- **Affected Organization:** Checkmarx (KICS Open Source Project)
- **Sector:** Cybersecurity / Software Development
- **Geography:** Global (Impacted any user of the GitHub Action)
## Timeline of Events
### Initial Access
- **Date/Time:** March 23, 2026, 12:58 UTC
- **Vector:** Compromise of a GitHub Service Account (`cx-plugins-releases`).
- **Details:** The attacker utilized the compromised identity to directly update existing Git tags and point them to malicious commits staged on a fork.
### Lateral Movement
- **Details:** Utilizing stolen `GITHUB_TOKEN`s from victim environments to create fallback repositories (`docs-tpcp`) within the victims' own organizations.
### Data Exfiltration/Impact
- **Details:** The malware exfiltrated secrets and environment variables to an attacker-controlled C2. It also attempted to establish persistence within Kubernetes clusters and created "decoy" repositories as a backup communication channel.
### Detection & Response
- **Detection:** A user identified suspicious activity and filed a GitHub issue notifying the maintainers.
- **Response:** The repository was taken down by 16:50 UTC (approximately 4 hours after the initial compromise) to prevent further infections.
## Attack Methodology
- **Initial Access:** Valid Account (Compromised `cx-plugins-releases` service account).
- **Persistence:** Implementation of Kubernetes-focused persistence code; creation of a fallback repository (`docs-tpcp`) using victim tokens.
- **Privilege Escalation:** Not explicitly detailed, but leveraged high-privilege service account access to modify repository tags.
- **Defense Evasion:** Used imposter commits on a fork to stage payloads; redirected existing trusted tags to malicious SHAs.
- **Credential Access:** Automated theft of `GITHUB_TOKEN` and environment variables.
- **Discovery:** Kubernetes environment scanning.
- **Lateral Movement:** Automated creation of repositories in victim GitHub Organizations.
- **Collection:** Gathering of environment secrets and configuration data.
- **Exfiltration:** Data sent to C2 domain `checkmarx[.]zone`.
- **Impact:** Supply chain compromise affecting CI/CD pipelines.
## Impact Assessment
- **Financial:** Undisclosed; potential costs related to remediation and secret rotation for affected users.
- **Data Breach:** Compromise of environment secrets, tokens, and potentially sensitive IaC configurations.
- **Operational:** Disruption of CI/CD pipelines for organizations using the KICS scanner; repository takedown.
- **Reputational:** High impact for Checkmarx/KICS, being the second such attack (following Trivy) by the same actor in five days.
## Indicators of Compromise
- **Network Indicators:**
- `checkmarx[.]zone` (C2 Domain)
- **File Indicators:**
- `setup.sh` (Malicious payload script)
- Tag versions v1, v1.0 through v2.1.20 (pointing to malicious SHAs like `8e20c7a...`)
- **Behavioral Indicators:**
- Unauthorized creation of a repository named `docs-tpcp` in a GitHub Organization.
- Unexpected outbound traffic from CI/CD runners to unknown domains.
## Response Actions
- **Containment:** Repository `github[.]com/Checkmarx/kics-github-action` was taken down to stop the spread.
- **Eradication:** Identification and documentation of 35 compromised tags and specific malicious commit SHAs.
- **Recovery:** Public disclosure and guidance for users to audit logs and rotate credentials.
## Lessons Learned
- **Key Takeaways:** Pinning GitHub Actions to mutable tags (e.g., `@v1`) is a significant security risk; attackers can hijack these tags without changing the visible version metadata.
- **Improvement Areas:** Service accounts used for automated releases require stricter access controls and monitoring for anomalous tag-update behavior.
## Recommendations
- **Immutable References:** Hard-code GitHub Actions to specific commit SHAs rather than tags.
- **Token Hardening:** Implement the principle of least privilege for `GITHUB_TOKEN` in workflows (use `permissions: read-all` or specific scopes).
- **Auditing:** Regularly audit GitHub Organization audit logs for the creation of unexpected repositories or abnormal service account activity.
- **Secret Rotation:** Any organization that ran the KICS action between 12:58–16:50 UTC on March 23 should immediately rotate all secrets exposed to that CI/CD environment.