{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions", "protected": false, "publish_timestamp": "1775507885", "published": true, "threat_level_id": "2", "timestamp": "1775507885", "uuid": "48c7cf05-c0d8-4e8a-a84a-7f2481bc8f78", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d87445", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration - TA0010\"", "relationship_type": "" }, { "colour": "#f50a44", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Collection - TA0009\"", "relationship_type": "" }, { "colour": "#0ee843", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Instance Metadata API - T1552.005\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774407608", "to_ids": false, "type": "link", "uuid": "9687091a-1d9b-457d-b2bf-0be51014120d", "value": "https://www.sysdig.com/blog/teampcp-expands-supply-chain-compromise-spreads-from-trivy-to-checkmarx-github-actions", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774407608", "to_ids": false, "type": "text", "uuid": "4ad6d107-e22b-48d4-955a-a19a33bde5a4", "value": "A threat actor known as TeamPCP expanded its supply chain attack from Aqua Security's Trivy to Checkmarx's AST GitHub Action. The attack, which began on March 19, 2026, involved injecting a credential-stealing payload into CI/CD pipelines across thousands of repositories. The malicious code harvested secrets from runner memory, queried cloud metadata, and exfiltrated encrypted data to typosquat domains. The Checkmarx compromise occurred approximately four days after the initial Trivy incident, using identical techniques but targeting a different action. This cascading effect demonstrates how compromised actions can be used to harvest credentials and compromise additional dependencies. Runtime detection proved effective in identifying the attack pattern across both waves, as the underlying behavior remained consistent despite changes in the delivery mechanism." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774407608", "to_ids": false, "type": "text", "uuid": "90507abf-093f-4504-8f2c-df956d162a4a", "value": "Name: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"teampcp cloud stealer\", \"ci/cd compromise\", \"supply chain attack\"]\nTgtd countries: []\nMlwr families: [\"TeamPCP Cloud stealer\"]\nAttack_ids: [\"TA0010\", \"TA0009\", \"T1552.005\", \"T1102\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774407608", "to_ids": false, "type": "threat-actor", "uuid": "9be6577b-9c93-4638-a642-7b2080ed68ae", "value": "TeamPCP" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775488453", "to_ids": true, "type": "domain", "uuid": "be93a40a-c8ef-429f-87a0-3d7fef4942fb", "value": "aquasecurtiy.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775488475", "to_ids": true, "type": "domain", "uuid": "7a6c6166-7f2b-4e24-9cf3-3fc739887bf8", "value": "checkmarx.zone", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775488496", "to_ids": true, "type": "hostname", "uuid": "67caaa0a-3ca7-45c8-bb33-0300a67d92c2", "value": "scan.aquasecurtiy.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775488517", "to_ids": true, "type": "ip-dst", "uuid": "31c900ce-709c-438d-9164-29e17856492f", "value": "45.148.10.212", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775488538", "to_ids": true, "type": "ip-dst", "uuid": "338a8c2b-9db1-45c8-8339-7b02c710fd58", "value": "83.142.209.11", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }