Checkmarx Confirms GitHub Repository Breach: A Deep Dive into the Supply Chain Attack
In a recent and alarming development, Checkmarx, a prominent player in the software security domain, has confirmed a significant breach of its GitHub repositories. This incident underscores the escalating threats targeting the software supply chain, emphasizing the need for heightened vigilance and robust security measures.
The Breach Unveiled
The breach came to light when Checkmarx identified unauthorized access to two of its GitHub Actions workflows:
– checkmarx/ast-github-action
– checkmarx/kics-github-action
These workflows are integral to Checkmarx’s operations, facilitating automated processes within their development pipeline. The unauthorized access was traced back to a sophisticated credential-stealing malware deployed by a threat actor known as TeamPCP. This group has a notorious history, including the compromise of Aqua Security’s Trivy vulnerability scanner. ([thehackernews.com](https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html?utm_source=openai))
Modus Operandi of the Attack
TeamPCP’s strategy involved injecting malicious code into the compromised workflows. This code was designed to exfiltrate sensitive information, including SSH keys, Git credentials, and cloud service provider credentials from platforms like AWS, Google Cloud, and Microsoft Azure. The stolen data was then transmitted to a domain masquerading as a legitimate Checkmarx entity, specifically checkmarx[.]zone. ([thehackernews.com](https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html?utm_source=openai))
A notable aspect of this attack was the creation of a repository named docs-tpcp within the victim’s GitHub account. This repository served as a backup storage for the exfiltrated data, ensuring data retention even if the primary exfiltration method failed. This tactic mirrors previous incidents where repositories like tpcp-docs were utilized for similar purposes. ([thehackernews.com](https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html?utm_source=openai))
Broader Implications and Related Incidents
The Checkmarx breach is not an isolated event. In a related incident, the Bitwarden CLI, a command-line interface for the Bitwarden password manager, was compromised through a similar supply chain attack. The attackers injected malicious code into the package, leading to the theft of GitHub and npm tokens, SSH keys, and other sensitive information. The exfiltrated data was sent to domains impersonating Checkmarx, indicating a coordinated effort to exploit trusted software supply chains. ([thehackernews.com](https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.html?utm_source=openai))
Furthermore, malicious images were pushed to the official checkmarx/kics Docker Hub repository. These images contained modified binaries capable of collecting and exfiltrating sensitive data, posing significant risks to teams using KICS for scanning infrastructure-as-code files. ([thehackernews.com](https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html?utm_source=openai))
The Role of TeamPCP
TeamPCP has emerged as a formidable adversary in the realm of software supply chain attacks. Their operations are characterized by the use of credential-stealing malware, strategic exfiltration methods, and the exploitation of trusted platforms to distribute malicious code. Their activities have targeted multiple organizations, indicating a broad and coordinated campaign to infiltrate and compromise software development pipelines. ([thehackernews.com](https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html?utm_source=openai))
Mitigation and Preventive Measures
In response to these incidents, organizations are urged to adopt comprehensive security measures to safeguard their software supply chains:
1. Credential Management: Regularly rotate and manage credentials, ensuring that compromised credentials are promptly revoked and replaced.
2. Monitoring and Logging: Implement robust monitoring systems to detect unauthorized access and anomalous activities within repositories and CI/CD pipelines.
3. Code Integrity Checks: Utilize tools to verify the integrity of code and dependencies, ensuring that no unauthorized modifications have been made.
4. Access Controls: Enforce strict access controls, granting permissions based on the principle of least privilege to minimize potential attack vectors.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift and effective action in the event of a security breach.
Conclusion
The confirmation of the GitHub repository breach by Checkmarx serves as a stark reminder of the vulnerabilities inherent in software supply chains. As threat actors like TeamPCP continue to refine their tactics, it is imperative for organizations to bolster their security postures, ensuring the integrity and security of their development processes.
