On January 14, 2025, Checkmarx disclosed that threat actor TeamPCP compromised their GitHub Actions workflows by stealing CI credentials. This incident, similar to a previous attack on Aqua Security's Trivy vulnerability scanner, highlights a critical vulnerability: inadequate protection of service account credentials in CI/CD pipelines.
What Happened
TeamPCP gained unauthorized access to Checkmarx's GitHub Actions environment through the 'cx-plugins-releases' service account. The attackers deployed malicious code that harvested credentials and environment variables from the CI pipeline. The stolen data was packaged into an encrypted archive named 'tpcp.tar.gz' and exfiltrated to a domain masquerading as legitimate Checkmarx infrastructure: checkmarx[.]zone.
The Trivy compromise, tracked as CVE-2026-33634 with a CVSS score of 9.4, followed the same pattern. TeamPCP's method demonstrates a repeatable exploit: steal service account credentials, inject code into trusted build processes, and exfiltrate secrets from the CI environment where they're most exposed.
Timeline
Pre-compromise (date unknown): TeamPCP obtained credentials for the 'cx-plugins-releases' service account through methods not yet publicly disclosed.
Attack execution: Using the compromised service account, TeamPCP modified GitHub Actions workflows to include credential-harvesting code.
Data exfiltration: The malicious workflow executed during normal CI operations, collected environment variables and secrets, encrypted them into tpcp.tar.gz, and transmitted the archive to checkmarx[.]zone.
Detection: Sysdig's analysis identified the TeamPCP stealer and published findings linking the Checkmarx and Trivy incidents.
January 14, 2025: Checkmarx publicly disclosed the breach.
Which Controls Failed or Were Missing
Credential rotation and lifecycle management: The 'cx-plugins-releases' service account was a long-lived credential without forced rotation. Once compromised, it remained valid long enough for TeamPCP to plan and execute the attack.
Workflow approval controls: GitHub Actions workflows could be modified without requiring secondary approval or review, allowing the attacker to inject malicious steps into trusted pipelines.
Egress monitoring: The exfiltration to checkmarx[.]zone—a domain designed to blend in with legitimate traffic—went undetected. Your CI environment should treat any external data transmission as suspicious.
Secrets exposure in CI: Environment variables containing credentials were accessible to workflow steps. The principle of least privilege wasn't enforced at the step level.
Service account monitoring: No anomaly detection flagged unusual activity from the compromised service account, such as workflow modifications or access patterns inconsistent with normal operations.
What the Standards Require
PCI DSS v4.0.1 Requirement 8.3.2 mandates that passwords and passphrases for user and service accounts meet minimum strength requirements and are changed at least once every 90 days. Service accounts in CI/CD pipelines frequently violate this requirement because rotation is difficult to automate without breaking builds.
Requirement 8.2.2 requires multi-factor authentication for all access into the cardholder data environment. While GitHub supports MFA for user accounts, service accounts often rely on API tokens or SSH keys without additional authentication factors.
Requirement 10.2.1 requires logging of all individual access to cardholder data. In a CI/CD context, this means you must log which service accounts accessed secrets, when, and from which workflow runs.
ISO/IEC 27001:2022 Control 5.17 (authentication information) requires that allocation and management of authentication information be controlled through a formal process. Your service account credentials need documented owners, rotation schedules, and access reviews.
NIST 800-53 Rev 5 AC-2(1) (Account Management | Automated System Account Management) requires automated mechanisms to support account management functions. Manual service account management doesn't scale and creates gaps like the one TeamPCP exploited.
NIST CSF v2.0 PR.AC-1 (Identities and credentials are issued, managed, verified, revoked, and audited) applies directly to CI/CD service accounts. You need automated tracking of when credentials were created, last used, and by which systems.
Lessons and Action Items for Your Team
Implement short-lived tokens for CI/CD: Replace long-lived service account credentials with tokens that expire after hours, not months. GitHub supports OpenID Connect (OIDC) tokens that allow workflows to authenticate without storing secrets. Configure your workflows to request tokens scoped to specific repositories and actions.
Require workflow approval for changes: Enable branch protection rules that require pull request reviews before workflow files can be modified. Treat .github/workflows/ changes with the same scrutiny as production code.
Monitor CI egress traffic: Deploy network monitoring that alerts on any data transmission from CI runners to external domains. Whitelist known-good destinations (package registries, artifact stores) and investigate everything else. The checkmarx[.]zone domain should have triggered an alert for being unrecognized.
Scope secrets to specific workflow steps: Don't expose secrets as environment variables to entire jobs. Use GitHub's secrets context to pass credentials only to the steps that need them. If a step doesn't require AWS credentials, it shouldn't have access to them.
Audit service account activity weekly: Generate reports showing which service accounts accessed which secrets, from which IP addresses, and during which workflow runs. Anomalies like off-hours access or geographic inconsistencies warrant immediate investigation.
Rotate credentials on a fixed schedule: Even with short-lived tokens, rotate the underlying credentials used to generate them. Document the rotation date for each service account and automate reminders when rotation is overdue.
Deploy runtime security for CI runners: Install agents on your CI runners that detect unusual process execution, file access, or network connections. TeamPCP's tpcp.tar.gz creation and exfiltration should have triggered alerts for unexpected archive operations.
Test your incident response for CI compromises: Run a tabletop exercise where you assume a service account is compromised. How quickly can you revoke its access? Can you identify which builds ran with the compromised credential? Do you have logs showing what data was accessible?
TeamPCP's success against both Checkmarx and Trivy proves that CI/CD credential theft is a repeatable, high-value attack vector. Your service accounts are targets. Treat them accordingly.
