Proprietary 2026-03-23 · 0 days ·Credential Theft, Persistence

Checkmarx tools stole CI secrets

Part of the Checkmarx vs TeamPCP campaign

TeamPCP poisoned Checkmarx GitHub Actions and OpenVSX extensions. The payload hunted CI, cloud, SSH, Kubernetes, and developer credentials from trusted scanning tools.

Story

The March Checkmarx incident began in the places developers trust by habit. Malicious OpenVSX extensions appeared early on March 23. Later that day, Checkmarx GitHub Actions tags were altered so CI jobs pulled attacker code as normal scanner setup.

The GitHub Actions payload changed the action startup path and ran setup.sh. It searched runners for environment variables, SSH keys, cloud metadata, Kubernetes tokens, and GitHub Actions process memory. It encrypted the collection, wrote tpcp.tar.gz, and tried to send it to TeamPCP infrastructure, with GitHub release upload as a fallback.

The OpenVSX payload used the IDE instead of CI. Compromised ast-results and cx-dev-assist VSIX files loaded a malicious checker, gated execution on the presence of cloud credentials, fetched a second stage, then used the same credential-stealing grammar. On developer machines it could install a user-level systemd persistence loop.

Checkmarx removed the affected artifacts, deleted older GitHub versions, rotated credentials, and advised users to move to verified releases. The incident is recorded as its own attack because it compromised Checkmarx-controlled distribution channels on March 23, even though the technique and infrastructure tie it to the wider TeamPCP campaign.

Affected Artifacts

checkmarx/ast-github-action

github actions · github.com · repository · Action

Observed: 2026-03-23
Compromised Versions: 2.3.32
Fixed: 2.3.33
Evidence: distribution: github.com/Checkmarx/ast-github-action, Update: Ongoing Checkmarx Supply Chain Security Incident, KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack

Checkmarx later identified 2.3.32 and floating main references that resolved during the exposure window as compromised; safe replacement guidance pointed users to v2.3.33 or later.
Floating main references that resolved during the March 2026 exposure window were affected.

checkmarx/kics-github-action

github actions · github.com · repository · Action

Observed: 2026-03-23
Compromised Versions: Unknown
Fixed: 2.1.20
Evidence: distribution: github.com/Checkmarx/kics-github-action, Update: Ongoing Checkmarx Supply Chain Security Incident, KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack, Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tags

Third-party reporting described all release tags as poisoned with setup.sh changes; Checkmarx described any floating reference that resolved during the window as affected.
All active tags during the March 2026 exposure window were reported affected.
Floating main references that resolved during the March 2026 exposure window were affected.

checkmarx.ast-results

openvsx · repository · Extension

Observed: 2026-03-23
Compromised Versions: 2.53.0
Fixed: Not listed
Hashes: sha256:65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d
Evidence: distribution: open-vsx.org/extension/checkmarx/ast-results, Update: Ongoing Checkmarx Supply Chain Security Incident, KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack, file_sha256: ast-results-2.53.0.vsix 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d , +1 more

checkmarx.cx-dev-assist

openvsx · repository · Extension

Observed: 2026-03-23
Compromised Versions: 1.7.0
Fixed: Not listed
Hashes: sha256:744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0
Evidence: distribution: open-vsx.org/extension/checkmarx/cx-dev-assist, Update: Ongoing Checkmarx Supply Chain Security Incident, KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack, file_sha256: cx-dev-assist-1.7.0.vsix 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0 , +1 more

Incident Context

Motive: Credential Theft
Attribution: Group
Cause: Compromised Account Credentials
Transitive: Yes
Actor: TeamPCP

Indicators

domaincheckmarx.zone
ip83.142.209.11
filesetup.sh
fileenvironmentAuthChecker.js
filecheckmarx-util-1.0.4.tgz
filetpcp.tar.gz
filesysmon.py
observabledocs-tpcp GitHub repository used as fallback exfiltration path.
observableOpenVSX extensions fetched checkmarx-util-1.0.4.tgz from checkmarx.zone/static.

External References

Update: Ongoing Checkmarx Supply Chain Security Incidentcheckmarx.com
Update: Ongoing Checkmarx Supply Chain Security Incidentcheckmarx.com
KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attackwiz.io
Checkmarx KICS GitHub Action Compromised: Malware Injected in All Git Tagsstepsecurity.io

Source record: proprietary/checkmarx-ast/meta.yaml