checkmarx/kics-github-action to a malicious commit — after earlier stealing access via compromised Trivy CI credentials.Credentials exfiltrated from Trivy runners gave TeamPCP access to Checkmarx's cx-plugins-releases service account; the KICS action was turned into an identical stealer, exfiltrating to checkmarx[.]zone — a vendor-specific typosquat, with a fallback path that created docs-tpcp repositories via the victim's GITHUB_TOKEN. In parallel reporting, Wiz traced the KICS compromise to the cx-plugins-releases account and found Checkmarx OpenVSX extensions were also backdoored, while Sysdig connected the KICS wave to the earlier Trivy campaign.
What Garnet observed
Method: Garnet replayed compromised KICS v2.1.20 (SHA b974e53d) in lab conditions. Pipeline output stayed green (scan completed, exit code 0) while malicious behavior ran in parallel.
Process lineage
Run 23471711050
The replay surfaced 23 behavioral detections including /proc/*/mem credential scraping, linker-path poisoning, shared library tampering, and egress to checkmarx.zone, apk.cgr.dev, and GitHub-adjacent IPs — while the scanner UI still looked like a normal KICS run.
Real-world impact
Any repository that ran a compromised KICS tag during the window had secrets at risk of exfiltration to attacker-controlled infrastructure.
