KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack

The Checkmarx KICS GitHub Action was compromised in a supply chain attack orchestrated by the threat actor TeamPCP. On March 23, between 12:58 and 16:50 UTC, the group successfully hijacked 35 tags within the repository to facilitate credential stealing. This incident highlights the ongoing risk posed by malicious actors targeting CI/CD pipelines to infiltrate downstream environments. Organizations utilizing the KICS scanner are urged to immediately audit their GitHub Actions workflows for unauthorized modifications or malicious activity. Mitigation strategies include implementing strict access controls, verifying commit signatures, and monitoring for anomalous behavior within build pipelines. Security teams should rotate any potentially exposed credentials and review logs for signs of compromise during the specified timeframe. This attack underscores the critical need for robust supply chain security measures to prevent unauthorized code injection and protect sensitive infrastructure from credential theft campaigns.

Checkmarx KICS scanner is the latest victim of a credential-stealing supply chain attack by TeamPCP. Between 12:58–16:50 UTC on March 23, 35 tags were hijacked. Learn how to audit your workflows, identify malicious activity, and secure your GitHub Actions.

The Checkmarx KICS GitHub Action was compromised in a supply chain attack orchestrated by the threat actor TeamPCP. On March 23, between 12:58 and 16:50 UTC, the group successfully hijacked 35 tags within the repository to facilitate credential stealing. This incident highlights the ongoing risk posed by malicious actors targeting CI/CD pipelines to infiltrate downstream environments. Organizations utilizing the KICS scanner are urged to immediately audit their GitHub Actions workflows for unauthorized modifications or malicious activity. Mitigation strategies include implementing strict access controls, verifying commit signatures, and monitoring for anomalous behavior within build pipelines. Security teams should rotate any potentially exposed credentials and review logs for signs of compromise during the specified timeframe. This attack underscores the critical need for robust supply chain security measures to prevent unauthorized code injection and protect sensitive infrastructure from credential theft campaigns. Checkmarx KICS scanner is the latest victim of a credential-stealing supply chain attack by TeamPCP. Between 12:58–16:50 UTC on March 23, 35 tags were hijacked. Learn how to audit your workflows, identify malicious activity, and secure your GitHub Actions. Checkmarx KICS scanner is the latest victim of a credential-stealing supply chain attack by TeamPCP. Between 12:58–16:50 UTC on March 23, 35 tags were hijacked. Learn how to audit your workflows, identify malicious activity, and secure your GitHub Actions.