TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions

**Executive Summary:** The Sysdig Threat Research Team observed TeamPCP compromise multiple GitHub Actions (including aquasecurity/trivy-action and Checkmarx/ast-github-action) to deploy an identical credential-stealing payload that harvested GitHub tokens and cloud IMDS credentials and exfiltrated them as an encrypted archive (tpcp.tar.gz) to vendor-typosquat domains (scan.aquasecurtiy.org, checkmarx.zone); the report includes IOCs, process/network artifacts, detection mappings (Falco/Sysdig Secure rules), and remediation guidance.