TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

TeamPCP Cracks Checkmarx's Pipeline Wide Open

In a move that should rattle every dev team shipping code through GitHub Actions, threat actor group TeamPCP successfully compromised Checkmarx's CI/CD pipelines by weaponizing stolen CI credentials. Yes - Checkmarx, the application security company. The irony is sharp enough to cut through a firewall.

What Happened

TeamPCP got their hands on CI credentials tied to Checkmarx's GitHub Actions workflows. Once inside, they had direct access to the automation backbone of the organization - the pipelines responsible for building, testing, and potentially deploying production code.

This is a classic supply chain pivot:

• Stolen CI secrets gave attackers authenticated access to trusted pipeline runners
• GitHub Actions workflows became the attack surface rather than the application itself
• Trusted tooling was turned against the very organization it was meant to protect
• The breach exposed how dangerous it is when CI credentials leak outside a controlled secrets manager

This is not a sophisticated zero-day exploit. It is credential theft exploiting poor secrets hygiene in automated workflows - and it worked on a security vendor.

Why This Hits Different

Most teams treat their GitHub Actions secrets like an afterthought. Tokens get hardcoded, .env files get committed, and long-lived credentials pile up across repos with zero rotation policies. TeamPCP did not need to break encryption - they just picked up keys left on the floor.

How to Lock Down Your Pipelines Right Now

If your team ships through GitHub Actions, run this checklist today:

• Rotate all CI secrets immediately - assume long-lived tokens are compromised
• Use short-lived OIDC tokens instead of static credentials wherever your cloud provider supports it
• Audit workflow permissions - set permissions: read-all by default and escalate only when needed
• Never hardcode secrets - use GitHub's encrypted secrets store and reference them via ${{ secrets.YOUR_SECRET }}
• Pin Actions to commit SHAs not mutable tags like @v3 which can be hijacked
• Enable branch protection on workflows so PRs from forks cannot exfiltrate secrets
• Monitor workflow run logs for unexpected outbound connections or artifact uploads
• Restrict who can trigger workflows on sensitive branches using workflow_dispatch controls

The Takeaway

If a security company's CI pipeline can be cracked using stolen credentials, yours can too. The attack surface is not just your app - it is every automated process touching your codebase. Treat CI credentials with the same paranoia you give production database passwords.

Zero trust does not stop at your app layer. It starts in your pipeline.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.