checkmarx/kics-github-action to a malicious commit — after earlier stealing access via compromised Trivy CI credentials.Part of Five Supply Chain Attacks. One Blind Spot. — a series on the structural gap that appeared across every major CI/CD compromise in March 2026.
Credentials exfiltrated from compromised Trivy runners gave TeamPCP access to Checkmarx's cx-plugins-releases service account; the KICS action was turned into an identical stealer, exfiltrating to checkmarx[.]zone — a vendor-specific typosquat, with a fallback path that created docs-tpcp repositories via the victim's GITHUB_TOKEN. In parallel reporting, Wiz traced the KICS compromise to the cx-plugins-releases account and found Checkmarx OpenVSX extensions were also backdoored, while Sysdig connected the KICS wave to the earlier Trivy campaign.
What Garnet observed
Method: Garnet replayed compromised KICS v2.1.20 (SHA b974e53d) in lab conditions. Pipeline output stayed green (scan completed, exit code 0) while malicious behavior ran in parallel.
The attack chain
Execution lineage
Run 23471711050
The replay surfaced 23 behavioral detections including /proc/*/mem credential scraping, linker-path poisoning, shared library tampering, and egress to checkmarx.zone, apk.cgr.dev, and GitHub-adjacent IPs — while the scanner UI still looked like a normal KICS run.
Real-world impact
Any repository that ran a compromised KICS tag during the window had secrets at risk of exfiltration to attacker-controlled infrastructure. The same TeamPCP campaign used credentials from the Trivy compromise to reach KICS, and stolen tokens from this wave later surfaced in the LiteLLM and Telnyx PyPI attacks.
Explore the run profile above, or start observing your own workflows with Garnet.
