Loading
Yanuki
ARTICLE DETAIL
GitHub Actions Under Attack: Credential Stealing Malware Injected into Popular Tools | Cushman & Wakefield Confirms Vishing Cyberattack | Linux 'CopyFail' Vulnerability Grants Root Access | Apple Fixes Privacy Bug in iOS 26.4.2 Allowing Message Extraction | Fake Windows Update Website Delivers Password-Stealing Malware | Fake Windows 11 Update Distributes Password-Stealing Malware | Telegram Groups Facilitate Domestic Hacking and Abuse | CareCloud Data Breach and MSP Security Threats | New iPhone Hacking Tool "DarkSword" Threatens Millions of Users | GitHub Actions Under Attack: Credential Stealing Malware Injected into Popular Tools | Cushman & Wakefield Confirms Vishing Cyberattack | Linux 'CopyFail' Vulnerability Grants Root Access | Apple Fixes Privacy Bug in iOS 26.4.2 Allowing Message Extraction | Fake Windows Update Website Delivers Password-Stealing Malware | Fake Windows 11 Update Distributes Password-Stealing Malware | Telegram Groups Facilitate Domestic Hacking and Abuse | CareCloud Data Breach and MSP Security Threats | New iPhone Hacking Tool "DarkSword" Threatens Millions of Users

Security / Supply Chain

GitHub Actions Under Attack: Credential Stealing Malware Injected into Popular Tools

Recent supply chain attacks have targeted widely-used GitHub Actions, including those for the Trivy vulnerability scanner and Checkmarx KICS, injecting credential-stealing malware. These compromises pose a significant risk to CI/CD pipeline...

KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack
Share
X LinkedIn

litellm
GitHub Actions Under Attack: Credential Stealing Malware Injected into Popular Tools Image via wiz.io

Key Insights

  • **Trivy Compromised Again:** The `aquasecurity/trivy-action` and `aquasecurity/setup-trivy` GitHub Actions were compromised, leading to the injection of a credential stealer. All tags from 0.0.1 through 0.34.2 were affected for approximately 12 hours. Why this matters: This is the second compromise of the Trivy ecosystem in a short period, highlighting the increasing risk of supply chain attacks.
  • **Checkmarx KICS Affected:** The Checkmarx KICS GitHub Action was also compromised with credential-stealing malware. Between 12:58 and 16:50 UTC on March 23rd, compromised tags served malware to users. Why this matters: This indicates a broad targeting of security tools, making it crucial to verify the integrity of all dependencies.
  • **TeamPCP Involvement:** Evidence suggests the involvement of the TeamPCP threat actor, known for cloud-native cybercrime, in these attacks. The malware used naming conventions and an RSA public key consistent with previous TeamPCP operations. Why this matters: This suggests a sophisticated and persistent attacker targeting cloud infrastructure.
  • **Compromised npm Packages:** Stolen credentials from the Trivy compromise were used to compromise several npm packages with a self-propagating worm. Why this matters: This demonstrates the cascading impact of supply chain attacks, where compromised credentials can lead to further breaches.

In-Depth Analysis

The attacks involved injecting malicious code into existing GitHub Action tags, redirecting them to compromised commits. This allowed attackers to distribute malware through trusted sources. The malware harvested environment variables, SSH keys, cloud service provider credentials, database credentials, and cryptocurrency wallets. Exfiltration occurred via HTTP POST requests to attacker-controlled domains, with a fallback mechanism of creating a public repository named `tpcp-docs` on the victim's GitHub account.

StepSecurity's Harden-Runner detected anomalous outbound connections to the attacker's C2 domain, `scan.aquasecurtiy.org&ref=yanuki.com`, in workflow runs across multiple open-source projects. Aqua Security has released advisories with indicators of compromise (IOCs) and recommended actions.

Compromised artifacts include: - OpenVSX Extensions: `ast-results-2.53.0.vsix` and `cx-dev-assist-1.7.0.vsix` - Checkmarx Util: `checkmarx-util-1.0.4.tgz` - Environment Auth Checker: `environmentAuthChecker.js`

Mitigation steps include auditing KICS GitHub Actions references, searching for exfiltration artifacts, and pinning GitHub Actions to full SHA hashes instead of version tags.

Read source article

FAQ

What actions should security teams take?

Security teams should audit KICS GitHub Actions references, search for exfiltration artifacts, and implement long-term hardening measures.

How can I identify compromised credentials?

Review workflow run logs and network logs for connections to `scan.aquasecurtiy.org&ref=yanuki.com` or IP address `45.148.10.212`. Check GitHub accounts for repositories named `tpcp-docs`.

Takeaways

  • **Verify Dependencies:** Regularly audit and verify the integrity of all dependencies in your CI/CD pipelines.
  • **Rotate Secrets:** If you suspect you were running a compromised version of Trivy or KICS, treat all pipeline secrets as compromised and rotate them immediately.
  • **Pin SHA Hashes:** Pin GitHub Actions to full, immutable commit SHA hashes instead of version tags to avoid tag poisoning attacks.
  • **Monitor Network Connections:** Monitor outbound network connections from your CI/CD environment for suspicious activity.

Discussion

Do you think these supply chain attacks will continue to increase? Let us know in the comments below! Share this article with others who need to stay ahead of this trend!

Sources

KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack Trivy Compromised a Second Time - Malicious v0.69.4 Release, aquasecurity/setup-trivy, aquasecurity/trivy-action GitHub Actions Compromised Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Disclaimer

This article was compiled by Yanuki using publicly available data and trending information. The content may summarize or reference third-party sources that have not been independently verified. While we aim to provide timely and accurate insights, the information presented may be incomplete or outdated.

All content is provided for general informational purposes only and does not constitute financial, legal, or professional advice. Yanuki makes no representations or warranties regarding the reliability or completeness of the information.

This article may include links to external sources for further context. These links are provided for convenience only and do not imply endorsement.

Always do your own research (DYOR) before making any decisions based on the information presented.

Related Stories

Security / Cybercrime

Cushman & Wakefield Confirms Vishing Cyberattack

Commercial real estate giant Cushman & Wakefield (C&W) has confirmed a cyberattack resulting from a vishing (voice phishing) incident. Two cybercrime groups, ShinyHunters and Qilin, have claimed responsibility for the attack, creating uncer...

Cushman & Wakefield confirms vishing cyberattack

Security / Vulnerabilities

Linux 'CopyFail' Vulnerability Grants Root Access

A newly discovered Linux vulnerability named 'CopyFail' (CVE-2026-31431) poses a significant security risk, enabling local privilege escalation. This flaw allows unprivileged users to gain root access, impacting various Linux distributions...

The most severe Linux threat to surface in years catches the world flat-footed

Security / iOS

Apple Fixes Privacy Bug in iOS 26.4.2 Allowing Message Extraction

Apple has addressed a significant privacy vulnerability in iOS 26.4.2, which allowed law enforcement and other unauthorized entities to extract deleted messages from iPhones. This update is crucial for users concerned about privacy and data...

The tiny iOS 26.4.2 update that arrived this week is actually a really big deal

Security / Malware

Fake Windows Update Website Delivers Password-Stealing Malware

A fake Microsoft support website is tricking users into downloading malware disguised as a legitimate Windows update. This malware is designed to steal passwords, payment details, and account access, bypassing traditional security measures...

This fake Windows support website delivers password-stealing malware

Security / Cybersecurity

Fake Windows 11 Update Distributes Password-Stealing Malware

A fake Windows 11 update website is distributing malware disguised as a legitimate update, targeting users seeking early access to new features. This sophisticated campaign uses techniques that evade traditional antivirus software, making d...

Fake Windows 11 24H2 Update Poses as Legit Download to Steal Data

Security / Cybercrime

Telegram Groups Facilitate Domestic Hacking and Abuse

Recent research has uncovered a disturbing trend: Telegram groups are being used to facilitate domestic hacking and abuse. These groups are hubs for trading hacking tools, spyware, and non-consensual intimate images, enabling individuals to...

Men Are Buying Hacking Tools to Use Against Their Wives and Friends

Security / Cybersecurity

CareCloud Data Breach and MSP Security Threats

A recent cyberattack on CareCloud, a health tech provider, has raised concerns about patient data security. This incident, along with other emerging threats, highlights the increasing risks faced by Managed Service Providers (MSPs) and the...

Healthcare data breach hits system storing patient records

Security / iPhone Security

New iPhone Hacking Tool "DarkSword" Threatens Millions of Users

A sophisticated iPhone hacking technique known as DarkSword has been discovered, capable of compromising hundreds of millions of iPhones running older versions of iOS. This poses a significant threat to users who haven't updated their devic...

Spyware once used by governments is now spreading to cybercriminals