Trivy To Checkmarx Supply Chain Compromise Expands

Background

On March 19 2026, the threat actor TeamPCP compromised Aqua Security’s Trivy vulnerability scanner and its GitHub Actions, injecting a credential‑stealing payload into CI/CD pipelines across thousands of repositories. The malicious code was delivered through force‑pushed commits that overwrote 75 of 76 version tags in the aquasecurity/trivy-action repository.

Checkmarx Wave

Approximately four days later, the same credential stealer appeared in Checkmarx’s AST GitHub Action (Checkmarx/ast-github-action v2.3.28). The payload’s entry point was changed from entrypoint.sh to setup.sh, but the overall behavior stayed identical.

How It Happened

The stealer harvests secrets from runner memory, queries the AWS Instance Metadata Service for temporary IAM credentials, enumerates Slack and Discord webhooks in the repository workspace, and uploads an AES‑256+RSA‑4096 encrypted archive named tpcp.tar.gz to a typosquat domain. The domains used were scan.aquasecurtiy[.]org (45[.]148[.]10[.]212) for Trivy and checkmarx[.]zone (83[.]142[.]209[.]11) for Checkmarx.

Runtime Detection with Sysdig Secure and Falco

Supply‑chain compromises bypass upstream preventive controls because the malicious code is injected into trusted actions. Tag‑based references (e.g., @v2) can be force‑pushed to bad commits, so only commit‑SHA pinning would have prevented the initial compromise. Runtime detection becomes the only viable defense once the code is executed on the runner.

Sysdig Secure and Falco rules identified the attacks by monitoring system‑call activity:

  • curl requests to the IMDS endpoint followed by an upload of tpcp.tar.gz to an external domain.
  • grep commands searching for hooks.slack.com or discord.com/api/webhooks in the repository workspace.
  • process trees that matched the known entry points for Trivy and Checkmarx.

These rules do not rely on signatures of the compromised action; instead, they detect the underlying behavior common to both waves.

Kill Chain to Detection Mapping

The TeamPCP stealer follows a fixed kill chain that maps directly to MITRE ATT&CK techniques:

  • Unsecured Credentials: Cloud Instance Metadata API (T1552.005) – detected by monitoring curl accesses to 169[.]254[.]169[.]254.
  • Exfiltration (TA0010) – detected by monitoring curl POSTs of binary data to external domains.
  • Collection (TA0009) – detected by monitoring grep enumerations of webhook URLs.

Indicators of Compromise

Exfiltration Domains

  • scan.aquasecurtiy[.]org → 45[.]148[.]10[.]212
  • checkmarx[.]zone → 83[.]142[.]209[.]11

Exfiltration Indicators

  • Payload filename: tpcp.tar.gz
  • Fallback exfiltration: creation of a tpcp-docs repository in the victim’s GitHub account.

Compromised Actions

  • aquasecurity/trivy-action – 75 of 76 tags, entrypoint.sh
  • aquasecurity/setup-trivy – 7 tags, action.yaml
  • Checkmarx/ast-github-action – v2.3.28 (possibly more), setup.sh

Recommendations

  1. Rotate all secrets, tokens, and cloud credentials that were accessible to CI runners during the affected window, including GitHub PATs, AWS, Azure, and GCP service principals.
  2. Audit GitHub Actions workflow runs from March 19 to March 23 2026 for any references to tpcp.tar.gz, aquasecurity, or checkmarx.zone in runner logs.
  3. Search your organization for repositories named tpcp-docs, which indicate successful fallback exfiltration.
  4. Pin GitHub Actions to full commit SHAs rather than version tags.
  5. Deploy Sysdig Secure or Falco runtime detection on CI runner infrastructure.
  6. Monitor outbound network connections from CI runners for curl POST requests to unexpected domains.
  7. Restrict IMDS access from CI runner containers using IMDSv2 with hop limits or disable IMDS entirely if not required.

Conclusion

The TeamPCP campaign demonstrates that a single poisoned action can harvest credentials that enable the compromise of additional actions, creating a cascading supply‑chain threat across the CI/CD ecosystem. Runtime monitoring of build infrastructure is now more critical than ever, as it is the only line of defense once malicious code is executed on the runner.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading