TeamPCP Exploits CI/CD Pipelines: Checkmarx KICS and elementary-data Compromises Expose Credential Theft Campaign

Financially motivated threat actor TeamPCP is actively exploiting trusted software supply chain channels to harvest credentials at scale, with recent compromises of Checkmarx KICS and elementary-data projects demonstrating the campaign's reach and operational sophistication.

The attack chain leverages CI/CD infrastructure as a direct pathway to high-value secrets. In the Checkmarx KICS compromise on April 22 and the elementary-data attack on April 24, TeamPCP weaponized legitimate distribution channels—including Docker Hub, PyPI, and GitHub Actions—to deliver malicious payloads. The KICS operation employed a 10 MB JavaScript payload executed via Bun runtime, encrypting exfiltrated data with AES-256-GCM and RSA OAEP-SHA256. The targeting scope spans GitHub personal access tokens, cloud service credentials, SSH keys, and cryptocurrency wallets, with compromised tokens reportedly operationalized within 24 hours of theft.

The campaign's technical profile and monetization velocity distinguish it from commodity attacks. Security researchers note that distinct techniques were employed per target, suggesting adaptive operational behavior rather than rigid script deployment. The abuse of trusted infrastructure—Docker Hub, PyPI, GitHub Actions—amplifies detection difficulty and expands the blast radius for organizations that automatically pull or build from these registries. Organizations with CI/CD pipelines touching Checkmarx KICS or elementary-data dependencies should audit recent workflow history, rotate potentially exposed secrets, and verify build chain integrity.