The FBI has issued an alert about TeamPCP, a criminal group that compromises the developer and security tools organizations trust inside their build pipelines to steal cloud credentials at scale. Rather than targeting end users, TeamPCP injects malicious code into legitimate software such as the Trivy and KICS scanners and the LiteLLM library, then pushes trojanized updates that continuous integration systems pull in automatically. Its malware harvests AWS, Google Cloud, and Azure tokens, Kubernetes service-account credentials, and more. One technique the FBI highlights is taking over npm maintainer accounts by re-registering the maintainer's long-expired recovery email domain, then using password reset to publish malicious package versions.
Researchers at Novee disclosed Cordyceps, a systemic class of weaknesses in CI/CD pipelines, especially GitHub Actions workflows, that lets an attacker with nothing more than a free account hijack a project's build and release process. The danger is not a single bug but how workflows chain together: an untrusted pull request or comment feeds a low-privilege workflow whose output flows into a higher-privilege one, ending in stolen credentials, poisoned artifacts, or malicious releases. A scan of 30,000 repositories found over 300 fully exploitable, with fixes confirmed by Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Standard scanners miss it because they check files in isolation.
Researcher RyotaK has disclosed a now-patched flaw in Anthropic's Claude Code GitHub Action, which drops Claude into CI/CD to triage issues and review PRs with broad repo permissions. The action's trigger check waved through any actor whose name ended in [bot] - but anyone can register a GitHub App and use its token to open an issue on a public repo. Agent mode lacked the human-actor check tag mode had. The attacker then used indirect prompt injection in an issue to make Claude read /proc/self/environ and write back the OIDC credentials, which can be replayed for an installation token with write access. Anthropic's example workflow shipped with allowed_non_write_users: '*'.
TeamPCP, the group behind the March Trivy breach and Shai-Hulud npm worm, used credentials stolen in that March attack to publish a backdoored version of Checkmarx's Jenkins AST plugin to the Jenkins Marketplace. This is the third Checkmarx supply-chain hit since late March. The rogue version 2026.5.09 went up on May 9, outside Checkmarx's normal release process - no git tag, no GitHub release. Checkmarx says its GitHub repos are isolated from customer production and no customer data is stored there, but anyone who installed the bad plugin should assume their CI credentials are compromised, rotate them all, and hunt for lateral movement.
Attackers compromised four official SAP npm packages on Wednesday and replaced them with versions that quietly steal developer credentials when installed. The packages - mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service - are SAP's open-source tools for cloud application development. Anyone who ran 'npm install' between 09:55 and 12:14 UTC on April 29 had their machine grab GitHub tokens, npm credentials, and AWS, Azure, and GCP secrets, then dump them into public GitHub repositories on the victim's own account. The same attackers (TeamPCP) hit Trivy, Checkmarx, and Bitwarden earlier this year. The malware skips Russian-language systems entirely.
Researchers disclosed CVE-2026-3854, a critical GitHub Enterprise Server flaw that lets anyone with push access execute arbitrary commands on the GitHub server with a single git push. The bug is in how Enterprise Server handles repository hooks during push operations - a crafted commit message or filename bypasses the sanitization that normally prevents shell injection. GitHub patched it last week, but self-hosted instances need to apply the patch manually, and telemetry shows most haven't yet. Anyone with developer-level access to a vulnerable Enterprise Server can take over the entire instance, then pivot into every repository and CI/CD secret it hosts.
Atlassian's April 21 security bulletin disclosed CVE-2026-21571, a critical OS command injection in Bamboo Data Center and Server with CVSS 9.4. An authenticated attacker can execute arbitrary commands on the underlying server, leading to full system compromise and lateral movement. Affected branches: 9.6, 10.0, 10.1, 10.2, 11.0, 11.1, 12.0, 12.1. The same bulletin patches CVE-2026-33871 (CVSS 8.7) - a Netty HTTP/2 DoS that can knock CI/CD pipelines offline. Bamboo sits at the heart of build pipelines, giving attackers a clean path to tamper with artifacts and harvest pipeline secrets.