A threat actor known as TeamPCP has compromised two GitHub Actions workflows maintained by the software supply chain security firm Checkmarx. The attack, which occurred recently, involved the use of stolen continuous integration credentials to inject malware, marking the latest in a series of supply chain attacks attributed to this group. The incident highlights ongoing vulnerabilities in widely used automation tools that could impact developers and organizations globally.

Details of the Compromised Workflows

The two specific workflows targeted in this security breach are “checkmarx/ast-github-action” and “checkmarx/kics-github-action.” These are publicly available tools used by developers to integrate security scanning directly into their software development pipelines. The “ast-github-action” performs static application security testing, while the “kics-github-action” scans infrastructure as code for security vulnerabilities. By compromising these official actions, attackers could potentially distribute malicious code to any project that relies on them.

According to security reports, TeamPCP employed credential-stealing malware to gain unauthorized access to the workflows. This method allows attackers to hijack the automated processes, often to insert backdoors or cryptocurrency miners into software builds. The group is the same cloud-native criminal operation behind the recent Trivy supply chain attack, indicating a focused campaign against developer tools.

Background on the Threat Actor

TeamPCP has established itself as a significant threat in the cloud security landscape. Their modus operandi involves targeting continuous integration and continuous delivery, or CI/CD, pipelines to infiltrate software at its source. The previous attack on the popular Trivy vulnerability scanner demonstrated their capability to exploit trust in open-source security tools. Security researchers categorize these actions as software supply chain attacks, where compromising a single foundational component can have a cascading effect on countless downstream users and projects.

The use of stolen credentials suggests the initial access may have been obtained through phishing, compromised personal accounts, or other credential leaks. Once inside, the actors can modify workflow code to execute their own scripts during the automated build process, a technique that is difficult to detect without rigorous code review and integrity checks.

Implications for Development Security

This incident underscores a critical challenge in modern software development: securing the very tools designed to enhance security. GitHub Actions are extensively used to automate testing, building, and deployment. A compromise at this level can undermine the security of entire organizations, leading to data breaches, intellectual property theft, or further malware distribution. For companies like Checkmarx, whose core business is security, such a breach carries significant reputational risk.

Developers and organizations are advised to verify the integrity of any third-party actions they use, implement strict access controls for CI/CD systems, and monitor for unauthorized changes in their pipelines. Relying on automated tools without verifying their source and integrity can introduce severe risks into the software development lifecycle.

Response and Next Steps

Checkmarx has been notified of the compromise and is expected to take steps to remediate the affected workflows, revoke compromised credentials, and issue security advisories to users. The company will likely conduct a forensic investigation to determine the scope of the breach and how the credentials were initially stolen. Users of the impacted actions should immediately check their projects for any signs of anomalous behavior and update to verified, clean versions once they are released by the maintainers.

Looking forward, the cybersecurity community anticipates further disclosures from Checkmarx regarding the timeline of the attack and specific indicators of compromise. This event will likely prompt increased scrutiny of other popular GitHub Actions and CI/CD tools for similar vulnerabilities. Industry experts expect a continued focus from threat actors on the software supply chain, making robust security practices for development infrastructure more essential than ever.

Source: Multiple security advisories and threat intelligence reports.