Background
On March 19 2026, the threat actor TeamPCP compromised Aqua Security’s Trivy vulnerability scanner and its GitHub Actions, injecting a credential‑stealing payload into CI/CD pipelines across thousands of repositories. The malicious code was delivered through force‑pushed commits that overwrote 75 of 76 version tags in the aquasecurity/trivy-action repository.
Checkmarx Wave
Approximately four days later, the same credential stealer appeared in Checkmarx’s AST GitHub Action (Checkmarx/ast-github-action v2.3.28). The payload’s entry point was changed from entrypoint.sh to setup.sh, but the overall behavior stayed identical.
How It Happened
The stealer harvests secrets from runner memory, queries the AWS Instance Metadata Service for temporary IAM credentials, enumerates Slack and Discord webhooks in the repository workspace, and uploads an AES‑256+RSA‑4096 encrypted archive named tpcp.tar.gz to a typosquat domain. The domains used were scan.aquasecurtiy[.]org (45[.]148[.]10[.]212) for Trivy and checkmarx[.]zone (83[.]142[.]209[.]11) for Checkmarx.
Runtime Detection with Sysdig Secure and Falco
Supply‑chain compromises bypass upstream preventive controls because the malicious code is injected into trusted actions. Tag‑based references (e.g., @v2) can be force‑pushed to bad commits, so only commit‑SHA pinning would have prevented the initial compromise. Runtime detection becomes the only viable defense once the code is executed on the runner.
Sysdig Secure and Falco rules identified the attacks by monitoring system‑call activity:
- curl requests to the IMDS endpoint followed by an upload of tpcp.tar.gz to an external domain.
- grep commands searching for hooks.slack.com or discord.com/api/webhooks in the repository workspace.
- process trees that matched the known entry points for Trivy and Checkmarx.
These rules do not rely on signatures of the compromised action; instead, they detect the underlying behavior common to both waves.
Kill Chain to Detection Mapping
The TeamPCP stealer follows a fixed kill chain that maps directly to MITRE ATT&CK techniques:
- Unsecured Credentials: Cloud Instance Metadata API (T1552.005) – detected by monitoring curl accesses to 169[.]254[.]169[.]254.
- Exfiltration (TA0010) – detected by monitoring curl POSTs of binary data to external domains.
- Collection (TA0009) – detected by monitoring grep enumerations of webhook URLs.
Indicators of Compromise
Exfiltration Domains
- scan.aquasecurtiy[.]org → 45[.]148[.]10[.]212
- checkmarx[.]zone → 83[.]142[.]209[.]11
Exfiltration Indicators
- Payload filename: tpcp.tar.gz
- Fallback exfiltration: creation of a tpcp-docs repository in the victim’s GitHub account.
Compromised Actions
- aquasecurity/trivy-action – 75 of 76 tags, entrypoint.sh
- aquasecurity/setup-trivy – 7 tags, action.yaml
- Checkmarx/ast-github-action – v2.3.28 (possibly more), setup.sh
Recommendations
- Rotate all secrets, tokens, and cloud credentials that were accessible to CI runners during the affected window, including GitHub PATs, AWS, Azure, and GCP service principals.
- Audit GitHub Actions workflow runs from March 19 to March 23 2026 for any references to tpcp.tar.gz, aquasecurity, or checkmarx.zone in runner logs.
- Search your organization for repositories named tpcp-docs, which indicate successful fallback exfiltration.
- Pin GitHub Actions to full commit SHAs rather than version tags.
- Deploy Sysdig Secure or Falco runtime detection on CI runner infrastructure.
- Monitor outbound network connections from CI runners for curl POST requests to unexpected domains.
- Restrict IMDS access from CI runner containers using IMDSv2 with hop limits or disable IMDS entirely if not required.
Conclusion
The TeamPCP campaign demonstrates that a single poisoned action can harvest credentials that enable the compromise of additional actions, creating a cascading supply‑chain threat across the CI/CD ecosystem. Runtime monitoring of build infrastructure is now more critical than ever, as it is the only line of defense once malicious code is executed on the runner.

