Full Report
On 2026-03-23, an incident was reported, involving TeamPCP, gaining initial access via Supply chain vector, to achieve Supply chain attack.
Analysis Summary
# Incident Report: TeamPCP Supply Chain Attack via KICS
## Executive Summary
In March 2026, the threat actor group known as TeamPCP executed a supply chain attack by compromising the "Keeping Infrastructure as Code Secure" (KICS) ecosystem. By leveraging a supply chain vector, the attackers successfully injected malicious code into automated workflows. The incident highlights the growing risk of third-party integration points within modern CI/CD pipelines.
## Incident Details
- **Discovery Date:** March 23, 2026
- **Incident Date:** March 23, 2026
- **Affected Organization:** KICS (Checkmarx open-source project) / GitHub Users
- **Sector:** Technology / Open Source Software
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 23, 2026
- **Vector:** Supply chain vector
- **Details:** TeamPCP targeted the KICS GitHub Action or related registry. By compromising the distribution point of the KICS tool, the attackers were able to ensure their malicious code was automatically pulled by downstream users during their build processes.
### Lateral Movement
- **Details:** Upon execution within a victim's CI/CD pipeline, the attack sought to move from the temporary build environment to broader cloud environments by harvesting environment variables and secrets stored in the runner’s memory.
### Data Exfiltration/Impact
- **Details:** The primary impact was the compromise of the supply chain itself, potentially leading to the injection of backdoors into the software products of organizations using KICS for IaC (Infrastructure as Code) scanning.
### Detection & Response
- **Discovery:** The incident was identified and reported on March 23, 2026.
- **Response Actions:** Investigation into the KICS GitHub Action; notification to the developer community; remediation of the compromised repository/registry components.
## Attack Methodology
- **Initial Access:** Supply Chain Attack (via KICS ecosystem).
- **Persistence:** Injected malicious scripts into legitimate CI/CD workflows/Actions.
- **Privilege Escalation:** Use of GitHub GITHUB_TOKEN or cloud provider service account keys stored in CI/CD secrets.
- **Defense Evasion:** Executing under the guise of a trusted security tool (KICS).
- **Credential Access:** Scraping environment variables and secret stores within the build runner.
- **Discovery:** Identifying cloud resources and API keys accessible from the CI environment.
- **Lateral Movement:** Using stolen credentials to access cloud consoles or container registries.
- **Collection:** Harvesting secrets, source code, and configuration files.
- **Exfiltration:** Sending harvested tokens/secrets to actor-controlled infrastructure.
- **Impact:** Compromise of integrity for downstream software builds.
## Impact Assessment
- **Financial:** High (Potential remediation costs for all impacted downstream users).
- **Data Breach:** Exposure of CI/CD secrets, API keys, and private source code.
- **Operational:** Disruption of automated deployment pipelines for organizations using KICS.
- **Reputational:** Significant impact on the perceived security of the KICS open-source project.
## Indicators of Compromise
- **Network indicators:** Connections to hxxps[://]wiz[.]io/blog/teampcp-attack-kics-github-action (Reference link context).
- **File indicators:** Modified `action.yml` files or malicious hooks within KICS distribution packages.
- **Behavioral indicators:** Unexpected outbound network calls from CI/CD runners to unknown IP addresses; unauthorized use of build-time secrets.
## Response Actions
- **Containment:** Revocation of compromised certificates and immediate update/roll-back of the KICS GitHub Action versions.
- **Eradication:** Removal of malicious code from the master branch and associated registries.
- **Recovery:** Mandatory rotation of all secrets that were exposed to the compromised build environments during the window of infection.
## Lessons Learned
- **Dependency Risk:** Open-source security tools (like KICS) are themselves high-value targets for supply chain attacks.
- **Runner Isolation:** CI/CD runners often have more permissions than necessary, allowing attackers to pivot to cloud environments.
- **Action Pinning:** Relying on 'latest' tags for GitHub Actions is a major security risk.
## Recommendations
- **Version Pinning:** Pin GitHub Actions to specific commit SHA hashes rather than tags or branches (e.g., `uses: checkmarx/kics-action@<full_commit_sha>`).
- **Secret Masking:** Implement rigorous secret masking and ensure runners are ephemeral and isolated.
- **Integrity Checks:** Use checksums or signature verification for all third-party binaries used in production pipelines.
- **Least Privilege:** Restrict the permissions of the `GITHUB_TOKEN` within workflows to `read-only` where possible.