In the world of cybersecurity, lightning rarely strikes the same place twice—unless you are a high-value target in a global supply chain campaign.
On April 22, 2026, security researchers confirmed that Checkmarx, a leader in developer security tools, was compromised for the second time in just 30 days. The attackers, identified as the financially motivated group TeamPCP, didn’t just breach a server; they poisoned the very tools developers use to prevent breaches. By injecting credential-stealing malware into KICS (Keeping Infrastructure as Code Secure) Docker images and popular VS Code extensions, the attackers have turned a trusted security guardian into a silent spy.+1
The Attack Vector: Poisoning the “Source of Truth”
The sophistication of this attack lies in its use of “trusted” infrastructure. Developers often pull Docker images or update IDE extensions without a second thought, assuming the “Official” tag provides safety.
1. Compromised KICS Docker Images
KICS is a powerhouse for scanning Terraform, Kubernetes, and CloudFormation files. With over 5 million downloads, it is a staple in modern CI/CD pipelines.
- The Exploit: TeamPCP swapped legitimate image digests for malicious ones while keeping the same tags (e.g.,
v2.1.20,alpine,latest). - The Result: Any automated pipeline pulling these tags received a binary modified to exfiltrate scan reports. Since these reports often contain raw secrets and configuration flaws, the malware essentially “hands over the keys” to the target’s cloud environment.
2. Malicious VS Code Extensions
The attack extended to the desktop via the Checkmarx Developer Assist and AST-Results extensions.
- The Payload: Researchers found a multi-stage component dubbed
mcpAddon.js. - The Mechanism: This script masquerades as a feature of the Model Context Protocol (MCP). It fetches additional payloads from hardcoded GitHub URLs without user confirmation, bypassing integrity checks.
Technical Deep Dive: The “NPM Worm” & Credential Theft
This isn’t just a “smash and grab” operation. TeamPCP has built a self-propagating machine designed to maximize its reach across the developer ecosystem.
What is Being Stolen?
The malware targets a exhaustive list of high-value credentials:
- Cloud Providers: AWS, Azure, and Google Cloud (GCP) authentication tokens.
- VCS & Registry: GitHub Auth tokens and NPM configuration files.
- AI Tools: Configuration files for Claude (Anthropic) and other MCP-enabled AI assistants.
- Infrastructure: SSH keys, Kubernetes secrets, and environment variables.
How it Spreads (The Propagation Loop)
The attack follows a “worm-like” progression:
- Steal: Capture the developer’s GitHub and NPM tokens.
- Inject: Use those tokens to push a rogue GitHub Actions workflow (
format-check.yml) into the victim’s own repositories. - Worm: Republish the victim’s own NPM packages (sometimes targeting hundreds at a time) with the malicious payload embedded.
Risk Alert: If you used the affected KICS images to scan your infrastructure, you must assume every secret in those files—from database passwords to cloud API keys—is currently in the hands of TeamPCP.
The TeamPCP Campaign: A Growing Pattern
TeamPCP (also known as PCPcat or ShellForce) has been on a rampage since late 2025. This latest hit on Checkmarx is part of a larger campaign that has already compromised:
- Aqua Security Trivy: A major vulnerability scanner.
- LiteLLM: A popular library for AI developers.
- Bitwarden CLI: Briefly poisoned via NPM on April 22 to harvest vault-related metadata.
| Date | Target | Method |
|---|---|---|
| March 2026 | Checkmarx | Compromised GitHub Actions & OpenVSX. |
| March 2026 | Trivy / LiteLLM | Token theft and PyPI poisoning. |
| April 2026 | Checkmarx / Bitwarden | Docker Hub digest swaps and NPM worming. |
Export to Sheets
Emergency Response: Actionable Steps for DevOps Teams
If your organization utilizes Checkmarx tooling or KICS, you must act immediately to prevent a lateral move by the attackers.
1. Immediate Cleanup
- Purge Images: Delete any KICS Docker images with tags
v2.1.20,v2.1.21,alpine, orlatestpulled between April 21 and April 23. - Update Extensions: Ensure VS Code extensions are updated to v2.67.0 (Checkmarx AST) or v1.18.0 (Developer Assist).
- Audit CI/CD: Look for a new workflow file named
.github/workflows/format-check.ymlin your repositories.
2. Credential Rotation (The “Big Reset”)
Because the malware specifically targets cloud and developer tokens, rotation is the only way to ensure safety.
- Rotate all GitHub Personal Access Tokens (PATs).
- Reset AWS/Azure/GCP service account keys.
- Rotate NPM publishing tokens.
3. Strategic Hardening
- Use Pinned SHAs: Never pull Docker images by tag (like
:latest). Always use the specific SHA256 hash to ensure the image hasn’t been tampered with. - Egress Filtering: Block outbound traffic from CI/CD runners to unknown IP addresses or the known C2 domain
audit.checkmarx[.]cx. - Signed Commits: Enforce signed commits in your GitHub organization to prevent “spoofed” backdated commits like the ones used in this attack.
FAQs
1. How can I tell if my GitHub account was used to spread the malware?
Check your GitHub audit logs for repository creations with a <word>-<word>-<3 digits> pattern or unauthorized “Format Check” workflow runs.
2. Why is TeamPCP targeting AI configuration files (Claude/MCP)?
AI assistants often have elevated access to source code and internal documentation. By stealing these configs, attackers can gain a “high-definition” view of your internal architecture and exploit AI agents to run commands.
3. Is the KICS tool itself still safe to use?
The code of KICS is safe, but the distribution channels (Docker Hub/VS Code Marketplace) were compromised. Ensure you are using the patched versions released after April 22, 2026.
Conclusion
The second Checkmarx breach of 2026 proves that even security companies are under constant siege. TeamPCP has demonstrated that the software supply chain is the most efficient path for “smash and grab” credential harvesting. For developers, the message is clear: Trust, but verify. Use pinned dependencies, monitor your CI/CD secrets, and never assume an “official” update is automatically a safe one.
