TEAMPCP’S Checkmarx GitHub Actions Attack underscores how a supply chain compromise can cascade across ecosystems, moving from Trivy to poisoned GitHub Actions, malicious Docker images and compromised packages.
The team targeted two Checkmarx GitHub Actions, checkmarx/ast-github-action and checkmarx/kics-github-action, harvesting secrets from CI runners and exfiltrating them via an encrypted archive named tpcp.tar[.]gz to checkmarx[.]zone, with a fallback that could create a docs-tpcp repository if direct exfiltration failed. Malicious OpenVSX extensions, ast-results v2.53.0 and cx-dev-assist v1.7.0, were published through a compromised account and could fetch a second-stage payload if cloud credentials were present.
The campaign then expanded into npm and PyPI, with CanisterWorm infecting more than 28 packages in under a minute and litellm releases appearing on PyPI, illustrating how stolen publish tokens multiplier threats across ecosystems. By 22 March 2026, Docker Hub images were pushed directly, and internal Aqua repositories were defaced, showing the operation’s breadth beyond GitHub and stressing that the real risk lies in the theft and reuse of valid identities.