Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ci-cd (7 articles)Clear

FBI warns TeamPCP poisons trusted developer tools to steal cloud credentials

The FBI has issued an alert about TeamPCP, a criminal group that compromises the developer and security tools organizations trust inside their build pipelines to steal cloud credentials at scale. Rather than targeting end users, TeamPCP injects malicious code into legitimate software such as the Trivy and KICS scanners and the LiteLLM library, then pushes trojanized updates that continuous integration systems pull in automatically. Its malware harvests AWS, Google Cloud, and Azure tokens, Kubernetes service-account credentials, and more. One technique the FBI highlights is taking over npm maintainer accounts by re-registering the maintainer's long-expired recovery email domain, then using password reset to publish malicious package versions.

Check
Check whether your build pipelines pulled trojanized versions of tools like Trivy, KICS, or LiteLLM, review the FBI's indicators, and audit whether any package maintainer accounts use expired recovery email domains.
Affected
Organizations whose CI/CD pipelines automatically pull developer and security tools, and maintainers whose npm recovery email domains have lapsed; TeamPCP uses these paths to steal cloud, Kubernetes, and registry credentials.
Fix
Pin GitHub Actions to commit hashes, rotate CI/CD secrets and cloud credentials, scope publishing tokens and enforce least privilege, require phishing-resistant MFA on publishing accounts, and delay installing brand-new package versions.

Cordyceps CI/CD weakness lets anonymous pull requests hijack build pipelines

Researchers at Novee disclosed Cordyceps, a systemic class of weaknesses in CI/CD pipelines, especially GitHub Actions workflows, that lets an attacker with nothing more than a free account hijack a project's build and release process. The danger is not a single bug but how workflows chain together: an untrusted pull request or comment feeds a low-privilege workflow whose output flows into a higher-privilege one, ending in stolen credentials, poisoned artifacts, or malicious releases. A scan of 30,000 repositories found over 300 fully exploitable, with fixes confirmed by Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Standard scanners miss it because they check files in isolation.

Check
Audit your GitHub Actions and other CI/CD workflows for steps that pass untrusted pull-request or comment data into higher-privilege jobs, and inventory where workflow tokens grant cloud or registry access.
Affected
Organizations whose CI/CD pipelines run workflows triggered by untrusted pull requests or comments, particularly GitHub Actions setups where low-privilege and high-privilege jobs share data and tokens across trust boundaries.
Fix
Treat workflow files as security-critical code, apply least privilege to workflow tokens, isolate untrusted pull-request triggers, sanitize data crossing between jobs, and review CI/CD changes generated by AI coding tools.

Claude Code GitHub Action flaw let one malicious issue hijack repos via prompt injection and OIDC token theft - bot-trigger bypass

Researcher RyotaK has disclosed a now-patched flaw in Anthropic's Claude Code GitHub Action, which drops Claude into CI/CD to triage issues and review PRs with broad repo permissions. The action's trigger check waved through any actor whose name ended in [bot] - but anyone can register a GitHub App and use its token to open an issue on a public repo. Agent mode lacked the human-actor check tag mode had. The attacker then used indirect prompt injection in an issue to make Claude read /proc/self/environ and write back the OIDC credentials, which can be replayed for an installation token with write access. Anthropic's example workflow shipped with allowed_non_write_users: '*'.

Check
Audit repos using Claude Code GitHub Action: update to the patched version, and check workflows for allowed_non_write_users set to '*'. Review public run summaries for leaked secrets.
Affected
Repositories using vulnerable Claude Code GitHub Action versions, especially in agent mode or with allowed_non_write_users: '*' copied from Anthropic's example. Public repos are exposed to [bot]-triggered prompt-injection attacks.
Fix
Update the Claude Code action to the fixed release. Remove allowed_non_write_users: '*', restrict triggers to write-access humans, and rotate any OIDC-derived tokens. Avoid posting task output to public run summaries.

Checkmarx Jenkins AST plugin backdoored by TeamPCP - third Checkmarx supply chain hit since late March

TeamPCP, the group behind the March Trivy breach and Shai-Hulud npm worm, used credentials stolen in that March attack to publish a backdoored version of Checkmarx's Jenkins AST plugin to the Jenkins Marketplace. This is the third Checkmarx supply-chain hit since late March. The rogue version 2026.5.09 went up on May 9, outside Checkmarx's normal release process - no git tag, no GitHub release. Checkmarx says its GitHub repos are isolated from customer production and no customer data is stored there, but anyone who installed the bad plugin should assume their CI credentials are compromised, rotate them all, and hunt for lateral movement.

Check
Check whether your Jenkins instances have the Checkmarx AST plugin installed. If yes, verify the running version - anything dated 2026.5.09 in the version string is the malicious build.
Affected
Any Jenkins instance running the rogue Checkmarx Jenkins AST plugin version 2026.5.09, which was published to the Jenkins Marketplace on May 9, 2026, between then and Checkmarx's takedown. The plugin was outside Checkmarx's normal release pipeline and lacked both a git tag and a GitHub release.
Fix
Roll back to version 2.0.13-829.vc72453fa_1c16 published December 17, 2025, or any earlier officially-tagged build. Rotate every credential the Jenkins host had access to, including cloud API keys, source-repo tokens, deployment keys, and signing certificates. Hunt for lateral movement from the Jenkins host. Pull Checkmarx's published IoC list from their Support Portal and run it across your environment.

Hackers compromised four official SAP developer packages and used them to steal credentials from any developer who installed an update

Attackers compromised four official SAP npm packages on Wednesday and replaced them with versions that quietly steal developer credentials when installed. The packages - mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service - are SAP's open-source tools for cloud application development. Anyone who ran 'npm install' between 09:55 and 12:14 UTC on April 29 had their machine grab GitHub tokens, npm credentials, and AWS, Azure, and GCP secrets, then dump them into public GitHub repositories on the victim's own account. The same attackers (TeamPCP) hit Trivy, Checkmarx, and Bitwarden earlier this year. The malware skips Russian-language systems entirely.

Check
Audit your CI/CD pipelines and dev machines for the four compromised SAP packages installed between April 29 09:55 and 13:46 UTC, and rotate every credential on those machines.
Affected
Any developer or CI/CD environment that ran 'npm install' on mbt 1.2.48, @cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, or @cap-js/db-service 2.10.1. SAP enterprise shops running CAP are at acute risk because these are core SAP development packages.
Fix
Update to clean SAP versions: @cap-js/db-service 2.11.0, @cap-js/sqlite 2.4.0, @cap-js/postgres 2.3.0. Rotate every GitHub token, npm token, and cloud credential (AWS, Azure, GCP) on machines that touched those packages. Search GitHub for repositories with the description 'A Mini Shai-Hulud has Appeared' belonging to your developers and report them to GitHub.

Critical GitHub flaw lets a single 'git push' run code remotely on the server - patched, but most self-hosted GitHub Enterprise instances haven't updated yet (CVE-2026-3854)

Researchers disclosed CVE-2026-3854, a critical GitHub Enterprise Server flaw that lets anyone with push access execute arbitrary commands on the GitHub server with a single git push. The bug is in how Enterprise Server handles repository hooks during push operations - a crafted commit message or filename bypasses the sanitization that normally prevents shell injection. GitHub patched it last week, but self-hosted instances need to apply the patch manually, and telemetry shows most haven't yet. Anyone with developer-level access to a vulnerable Enterprise Server can take over the entire instance, then pivot into every repository and CI/CD secret it hosts.

Check
If you run a self-hosted GitHub Enterprise Server, apply the latest patch this week and review push activity from any low-privilege accounts since the patch was released.
Affected
Self-hosted GitHub Enterprise Server instances on versions before the April 2026 patch. The bug requires push access to any repository, which means every developer with commit rights is a potential entry point. CI/CD secrets, signing keys, and source code are exposed. GitHub.com (the SaaS product) is not affected.
Fix
Upgrade GitHub Enterprise Server to the patched release per GitHub's advisory. Until patched, restrict push access to trusted accounts and require code review on all pushes. Audit Enterprise Server logs for unusual git operations or shell processes spawning from the GitHub system user. Rotate any CI/CD secrets, signing keys, and webhook tokens stored on the server.

Atlassian Bamboo Data Center hit with critical OS command injection (CVE-2026-21571, CVSS 9.4) - patch your CI/CD before someone uses it as a supply-chain pivot

Atlassian's April 21 security bulletin disclosed CVE-2026-21571, a critical OS command injection in Bamboo Data Center and Server with CVSS 9.4. An authenticated attacker can execute arbitrary commands on the underlying server, leading to full system compromise and lateral movement. Affected branches: 9.6, 10.0, 10.1, 10.2, 11.0, 11.1, 12.0, 12.1. The same bulletin patches CVE-2026-33871 (CVSS 8.7) - a Netty HTTP/2 DoS that can knock CI/CD pipelines offline. Bamboo sits at the heart of build pipelines, giving attackers a clean path to tamper with artifacts and harvest pipeline secrets.

Check
Inventory every Bamboo Data Center and Server instance you run and upgrade to 12.1.6 LTS, 10.2.18 LTS, or 9.6.25 today.
Affected
Atlassian Bamboo Data Center and Server versions 9.6.0 through 12.1.3 inclusive against CVE-2026-21571 (CVSS 9.4 OS command injection, authenticated). Also exposed to CVE-2026-33871 (CVSS 8.7 DoS via Netty HTTP/2). The authenticated requirement is small comfort - any leaked or shared technician credential is enough.
Fix
Upgrade to Bamboo 12.1.6 LTS, 10.2.18 LTS, or 9.6.25. Audit Bamboo accounts and disable shared logins; require MFA on every Bamboo auth path. Alert on shell interpreters or curl/wget spawning from the Bamboo Java process. Restrict the admin UI to internal networks. Rotate every credential stored in build configurations - they could have been read during the vulnerable window.