Last updated 3 weeks ago
Checkmarx, a supply chain security company, experienced a supply chain attack targeting two of its GitHub Actions workflows in March 2026. The threat actor TeamPCP compromised the checkmarx/ast-github-action and checkmarx/kics-github-action repositories using stolen continuous integration credentials. This attack represents a direct compromise of security tooling infrastructure within the software supply chain ecosystem.
The breach occurred through credential-stealing malware that captured CI credentials, which TeamPCP then used to gain unauthorized access to Checkmarx's GitHub Actions workflows. The same threat actor was previously responsible for the Trivy supply chain attack, indicating a pattern of targeting security scanning tools and CI/CD pipelines. The compromised workflows could have been modified to inject malicious code into downstream projects that depend on these security scanning actions.
No specific post-incident developments regarding regulatory actions, litigation, ransom payments, or remediation milestones were detailed in the available information about this breach.
Compromised GitHub Actions workflows using stolen CI credentials
This breach demonstrates that security tooling companies themselves are high-value targets for supply chain attacks, particularly when they maintain widely-used CI/CD components. The compromise of GitHub Actions workflows through stolen CI credentials highlights the need for robust credential management and monitoring in continuous integration environments, even within security-focused organizations. Organizations must implement strict access controls and behavioral monitoring for CI/CD systems, as these have become critical attack vectors for compromising downstream dependencies across the software ecosystem.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector
Threat Actor