In a concerning development for cybersecurity, the threat actor TeamPCP has successfully compromised two GitHub Actions workflows maintained by Checkmarx, leveraging stolen Continuous Integration (CI) credentials. This attack follows TeamPCP's previous exploits, notably the Trivy supply chain attack, highlighting the group’s ongoing focus on supply chain vulnerabilities. The affected workflows, namely checkmarx/ast-github-action and checkmarx/kics-github-action, are critical components in the software development lifecycle, facilitating security assessments and compliance checks.
For businesses, this incident underscores the importance of robust credential management and monitoring practices, particularly in cloud-native environments where CI/CD pipelines are increasingly targeted. Organizations must prioritize the implementation of multi-factor authentication (MFA) and regular credential audits to mitigate risks associated with credential theft. As supply chain attacks become more sophisticated, understanding the implications of such breaches is vital for maintaining the integrity of software development processes. This incident serves as a stark reminder of the interconnectedness of software components and the necessity for enhanced vigilance in cybersecurity practices, particularly as reliance on AI and automation in development continues to grow.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html)*