What happened
TeamPCP force-pushed 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in setup-trivy to malicious commits. The injected entrypoint.sh harvested CI secrets from runner memory via /proc/<pid>/mem reads, encrypted the haul with AES-256 + RSA-4096, and exfiltrated it as tpcp.tar.gz to scan.aquasecurtiy[.]org.
Credentials stolen from Trivy runners gave TeamPCP access to Checkmarx's cx-plugins-releases service account. On March 23, all 35 tags of checkmarx/kics-github-action were redirected to an identical stealer exfiltrating to checkmarx[.]zone — a vendor-specific typosquat. A fallback created docs-tpcp repositories via the victim's GITHUB_TOKEN.
The discourse
Sysdig first connected the Trivy and Checkmarx waves publicly. Wiz traced the KICS compromise to the cx-plugins-releases account and found Checkmarx OpenVSX extensions were also backdoored. Microsoft published detection guidance. The consensus: mutable tags are a structural weakness, and runtime detection is the only layer that fires when the action itself is the threat.
What Garnet observed
Garnet's eBPF sensor captures the full process ancestry through each compromised action. The telemetry shows bash spawned from the action context performing /proc/<pid>/mem reads — targeting the Runner.Worker process where GitHub injects secrets. The stealer enumerates credential files, encrypts the haul, and initiates HTTPS POST exfiltration to typosquat domains that blend into CI logs.
Assertions fired:
no_known_bad_egress(DNS resolution toscan.aquasecurtiy[.]organdcheckmarx[.]zone),exec_from_unusual_dir,credentials_files_access,process_memory_read(unauthorized/proc/*/memaccess from action subprocess).
Real-world impact
Any repository that ran a compromised tag between March 19–24 had its full secret set — GitHub PATs, cloud credentials, SSH keys, Kubernetes tokens — exfiltrated. Sysdig confirmed the stolen tokens enabled cascading compromise: one poisoned action captures credentials that poison the next.
