Signal
TeamPCP supply chain attack compromises Trivy and Checkmarx GitHub Actions workflows
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-03-24 09:29 UTCUpdated 2026-03-25 00:03 UTC
rss
supply_chain_attackmalwarecredential_theftgithub_actionsincident_responsesecurity_tooling
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
In March 2026, the threat actor TeamPCP executed a sophisticated supply chain attack targeting Aqua Security's Trivy vulnerability scanner and Checkmarx GitHub Actions workflows.
Entities
Aqua SecurityCheckmarxMandiant ConsultingLapsus$TrivyCheckmarx KICSLiteLLMCharles Carmakal
Score total
1.53
Momentum 24h
4
Posts
4
Origins
4
Source types
1
Duplicate ratio
0%
Why now
- The attack was detected in March 2026 and is actively expanding to additional frameworks and victims.
- Over 1,000 cloud environments are already infected, with potential for rapid growth in impacted organizations.
- Security vendors are currently releasing detection and response guidance to mitigate ongoing risks.
Why it matters
- Supply chain attacks on trusted security tools can compromise thousands of organizations downstream.
- Misconfigurations in CI/CD automation environments enable attackers to inject malware and steal credentials.
- Collaboration between threat actors and extortion groups increases the risk of widespread data breaches and ransom demands.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- TeamPCP exploited a misconfiguration in Trivy's GitHub Actions environment to steal privileged credentials and inject malware into official releases.
- The attack has infected over 1,000 cloud environments and is expected to impact many more downstream victims.
- The threat actor TeamPCP has expanded the campaign to compromise Checkmarx GitHub Actions workflows using stolen CI credentials.
How sources frame it
- Microsoft Defender Security Research Team: neutral
- CyberScoop: neutral
- The Register Security: neutral
- The Hacker News: neutral
This narrative consolidates multiple high-quality sources detailing the ongoing supply chain compromise by TeamPCP affecting Trivy and Checkmarx GitHub Actions workflows, highlighting the scale, techniques, and...
All evidence
All evidence
Guidance for detecting, investigating, and defending against the Trivy supply chain compromise
Microsoft Security Blog · microsoft.com · 2026-03-25 00:03 UTC
1K+ cloud environments infected following Trivy supply chain attack
The Register Security · go.theregister.com · 2026-03-24 20:31 UTC
Experts warn of a ‘loud and aggressive’ extortion wave following Trivy hack
CyberScoop · cyberscoop.com · 2026-03-24 17:52 UTC
TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials
The Hacker News · thehackernews.com · 2026-03-24 09:29 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 4Origin domains: 4Duplicates: -
Showing 4 / 0
Top publishers (this list)
- Microsoft Security Blog (1)
- The Register Security (1)
- CyberScoop (1)
- The Hacker News (1)
Top origin domains (this list)
- microsoft.com (1)
- go.theregister.com (1)
- cyberscoop.com (1)
- thehackernews.com (1)