Checkmarx confirmed its KICS open source project was compromised after a March 23 Trivy supply chain attack that let attackers hijack GitHub Action tags and poison packages to reference malware. The intrusion, attributed to TeamPCP and apparently leveraged with Lapsus for monetization, led to the exfiltration of source code, employee databases, API keys, and database credentials while Checkmarx removed malicious packages, rotated credentials, engaged Mandiant, and notified law enforcement. #Checkmarx #TeamPCP #Lapsus #Trivy #Bitwarden #KICS #DockerHub
Keypoints
- A Trivy supply chain compromise on March 23 enabled attackers to hijack GitHub Action tags and poison open source packages.
- The campaign is attributed to TeamPCP and appears to have involved coordination with Lapsus for data monetization.
- Attackers poisoned OpenVSX plugins, GitHub Actions, a DockerHub KICS image, VS Code and Developer Assist extensions, and the Bitwarden CLI NPM package.
- Checkmarx identified data exfiltration on March 30 and Lapsus later posted a 96GB archive claiming source code, employee databases, API keys, and DB credentials.
- Checkmarx removed malicious packages, rotated credentials, blocked attacker infrastructure, retained Mandiant, notified law enforcement, and launched a code audit.
Read More: https://www.securityweek.com/checkmarx-confirms-data-stolen-in-supply-chain-attack/