Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft

The 21 shell reconnaissance commands include hostname, whoami, uname -a, ip addr, ip route, printenv, env | grep AWS_, kubectl get secrets –all-namespaces, wg showconf all, gh auth token, cat /var/log/auth.log | grep Accepted | tail -200, and recursive API key pattern searches across .env, .json, .yml, and .yaml files.

Live AWS Cloud API abuse

When AWS credentials are present in environment variables or reachable via EC2 IMDS, the stealer makes live SigV4-authenticated API calls beyond simple file harvesting:

1. secretsmanager:ListSecrets enumerates all accessible secret names across the account.
2. secretsmanager:GetSecretValue dumps the plaintext value of each enumerated secret.
3. ssm:DescribeParameters enumerates SSM Parameter Store entries.

These three API operation names map directly to CloudTrail event names. For defenders with CloudTrail enabled, query for these operations from CI/CD runner principals or any identity and access management (IAM) entity that should not be accessing Secrets Manager. Unexpected calls to secretsmanager:ListSecrets from a data pipeline role are a reliable hunting signal. This operation is rarely needed by application code and is frequently exploited by credential harvesters.

This live API abuse is the payload’s most notable behavior. It extends the blast radius from disk-resident credential files to managed secrets not stored on the host at all. A CI runner with an IAM role scoped to a specific task, one that never touches Secrets Manager during normal operation, becomes a window into every secret that role can enumerate if TeamPCP reaches it.

Exfiltration and cleanup

The outer loader collects all inner stealer output to a temporary file, compresses it as trin.tar.gz, and exfiltrates with a single HTTPS POST using a custom actor-branded header that acts as a server-side gate. The C&C endpoint only accepts requests with the exact header value, blocking accidental discovery by scanners. The C&C resolved to a Cloudflare-fronted IP and returned HTTP 404 during our analysis. Based on C&C lifecycle patterns observed across prior TeamPCP waves, we assess with high confidence that the actor cycles infrastructure rapidly post-operation. A temporary-directory context manager deletes all artifacts including trin.tar.gz on exit, leaving only a single persistence marker.

The exfiltration header pattern mirrors the LiteLLM and Xinference payloads. The actor has embedded operator branding into exfiltration headers across every confirmed Python-target wave. This is a network-layer detection opportunity that survives C&C domain rotation.

Evolving tradecraft: What changes between waves

Comparing the two cases side by side shows the threat actor adapting delivery and crypto per operation while holding the objective constant:

Delivery language: KICS used JavaScript executed via the Bun runtime, an approximately 10-MB payload requiring a downloaded runtime binary on the victim system. On the other hand, elementary-data used Python .pth, a 46-KB file that executes on interpreter startup with no additional dependencies. The .pth approach is smaller, leaves fewer artifacts, and works against any Python environment regardless of installed packages.

Cryptographic sophistication: KICS used AES-256-GCM plus RSA OAEP-SHA256, a proper hybrid encryption scheme where each victim’s stolen data is encrypted with a unique session key that only the attacker can decrypt. Conversely, elementary-data used MD5-keystream XOR, which is technically weaker but sufficient for a payload that never needs to decrypt data on the victim side. The threat actor appears to calibrate crypto to operational need rather than defaulting to maximum strength.

Initial access complexity: KICS required unauthorized write access to Docker Hub and VS Code publisher accounts across three channels simultaneously, which requires more effort and is an operation that generates higher noise. On the other hand, elementary-data required a single pull request comment on a public repository. The structural weakness exploited is present in thousands of open-source projects.

C&C resilience: KICS implemented a fallback domain recovery mechanism via signed GitHub commits, allowing C&C rotation without redeploying payloads. For elementary-data, it used a simple C&C with no observed fallback. The actor reserved the more sophisticated C&C architecture for the operation with a larger blast radius and longer expected credential shelf-life. Bitwarden CLI credentials may persist longer than CI runner tokens.

The emerging pattern across all waves: Each new attack introduces a more structural initial access vector, from exploiting GitHub Action permissions in March to comment injection requiring no permissions at all on April 24. The cryptographic and obfuscation sophistication per payload does not uniformly increase. Instead, the actor applies crypto proportional to the expected credential value and adjusts the initial access technique toward progressively lower-barrier structural vulnerabilities.

Security recommendations

The following remediation applies across both incidents. Organizations should prioritize security measures based on which artifacts they have confirmed exposure to:

1. Treat any environment that pulled checkmarx/kics Docker tags (alpine, debian, latest, v2.1.20, v2.1.20-debian, v2.1.21, or v2.1.21-debian) between approximately 12:35 and 15:41 UTC on April 22 as fully compromised. The same should apply to any environment that installed VS Code extensions cx-dev-assist v1.17.0 or v1.19.0, ast-results v2.63.0 or v2.66.0, used checkmarx/ast-github-action before v2.3.36, or installed @bitwarden/cli v2026.4.0.
2. Rotate credentials from a clean host, not from within the potentially compromised CI environment, including GitHub PATs (ghp_*, gho_*), AWS IAM access keys, Azure credentials and service principal secrets, GCP service account keys, npm tokens (npm_*), SSH private keys from ~/.ssh/id_*, and any secrets stored in .env or .git-credentials files. AI and MCP tool credentials should be included in rotation, as the payload specifically targets ~/.claude.json and ~/.kiro/settings/mcp.json.
3. Upgrade to safe versions of Docker checkmarx/kics:v2.1.20 (restored: verify against known-clean digest before use), VS Code cx-dev-assist v1.18.0, ast-results v2.64.0, GitHub Action checkmarx/ast-github-action@v2.3.36, npm @bitwarden/cli v2026.3.0 or earlier.
4. Audit GitHub Actions logs for format-check.yml workflow runs. Search for auto-created public repositories matching the <word>-<word>-<3 digits> Dune-themed naming pattern with description Shai-Hulud: The Third Coming. These might contain encrypted credential blobs that the threat actor has not yet retrieved.
5. Hunt for Bun runtime artifacts. The presence of a bun or bun.exe binary in unexpected working directories indicates that payload execution occurred even if exfiltration was disrupted.
6. Block the documented C&C infrastructure at the network perimeter. Our section on indicators of compromise (IoCs) provides more information.

1. Treat any host where elementary-data==0.23.3 was installed, or where a container pulled from ghcr[.]io/elementary-data/elementary:0[.]23[.]3 or :latest ran during the exposure window, as fully compromised. The .pth payload fires at Python interpreter startup. Any Python process on the host after installation might have triggered it.
2. Rotate the following in priority order: AWS access keys and session tokens, GCP service account keys, Azure credentials, Kubernetes service account tokens, then update authorized_keys on connected hosts, GitHub PATs, HashiCorp Vault tokens, npm tokens, all .env and .env.production secrets. Cryptocurrency wallet private keys should be treated as potentially exposed if present on the host, as funds might already be at risk.
3. Audit for payload artifacts, including a persistence marker file in $TMPDIR (see IoC section) and any elementary.pth in Python site packages exceeding 100 KB.
4. Install elementary-data==0.23.4 (maintainer-confirmed safe). For Docker, pin to the precompromise baseline digest listed in the IoC section.
5. Review network logs for outbound connections to the documented exfil and stager domains (see the IoC section). Presence of either confirms exfiltration attempt, which might require escalation to incident response.

1. Audit all GitHub Actions workflows in the organization’s repositories for user-controlled expressions interpolated directly into run: blocks (${{ github.event.comment.body }}, ${{ github.event.issue.title }}, and similar patterns). This is the structural vulnerability that enabled the elementary-data attack, and the pattern is widespread in open-source projects.
2. Pin all Docker image pulls to verified digest rather than tag. Apply network egress controls to the CI agent environments. Neither payload would have succeeded in exfiltrating data from a runner with outbound HTTPS blocked to non-allowlisted endpoints.

TrendAI Vision One™ Integration

TrendAI Vision One™ XDR customers have coverage against the Checkmarx KICS incident through pattern-based detections for both the KICS credential stealer and the Bitwarden CLI variant, behavioral detections that flag Bun runtime execution and credential harvesting spawned by JavaScript runtimes across AWS, Azure, GCP, and GitHub CLI paths, and network inspection signatures for the Bun runtime download pattern, GitHub commit-search dead-drop C&C behavior, and HTTPS exfiltration to the Checkmarx-impersonating C&C. Specific detection names and signature identifiers are listed in the Indicators of compromise section.

For the elementary-data incident, pattern-based detection coverage is pending. TrendAI Vision One™ XDR customers can hunt across both incidents using the following behaviors:

• Python interpreter processes initiating outbound HTTPS at startup
• File creation events for trin.tar.gz or the .trinny-security-update marker in temporary directories
• DNS queries to the documented C&C domains (see the IoC section)
• Outbound HTTP requests carrying the actor-branded custom header
• Bun binary creation in unexpected paths
• GitHub commit-search API calls originating from CI runner principals
• CloudTrail events for secretsmanager:ListSecrets, secretsmanager:GetSecretValue, and ssm:DescribeParameters from CI or data pipeline IAM roles that should not be accessing Secrets Manager

For defenders: Block the documented C&C infrastructure at the network perimeter. Enable behavioral detections for Bun execution in CI agent environments. Alert on Python interpreter child processes initiating outbound HTTPS at startup. The custom exfiltration header is a near-zero-false-positive detection signal if visible in network inspection.

For decision-makers: Both operations weaponize the trust relationships that developer toolchains depend on, such as a Docker image from the official Checkmarx repository, a PyPI package signed by the project’s own CI. Cryptographic image digest pinning and network egress controls on CI runners are the structural mitigations that limit this class of attack regardless of which project TeamPCP targets next. The elementary-data incident shows that a simple pull request comment can be the sufficient entry when workflows interpolate GitHub event data into shell commands without sanitization.

For incident responders: Triage by checking pip freeze and lock files for elementary-data==0.23.3 across developer workstations and CI runners. Check container image manifests against the malicious digest listed in the IoC section. For the KICS incident, the fallback C&C recovery mechanism means blocking the current C&C IP does not guarantee a clean system. Audit any GitHub commit-search API calls from CI agents. Preserve any .trinny-security-update and trin.tar.gz artifacts as evidence before wiping affected hosts.

TrendAI Vision One™ Threat Intelligence Hub

TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.

Emerging Threats: TeamPCP Supply Chain Campaign: Checkmarx KICS Compromise and Bitwarden CLI Hijack

TeamPCP Supply Chain Campaign: Checkmarx KICS Compromise and Bitwarden CLI Hijack

MITRE ATT&CK mapping

The following techniques cover tactics observed across both incidents. Mapping is partial for this wave; persistence, lateral movement, and extended discovery coverage will follow in our succeeding analysis.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts