Checkmarx KICS Supply Chain Attack Spread Across GitHub Action and Docker Images
The Checkmarx KICS ecosystem was hit by a supply chain compromise that first affected the official GitHub Action and later appeared in official Docker Hub artifacts. Wiz reported that attackers repointed 35 KICS GitHub Action tags to malicious commits during a roughly four-hour window, delivering credential-stealing malware to users pinned to affected versions. The activity was linked with high confidence to TeamPCP, the actor previously tied to the Trivy GitHub Action compromise, based on shared tradecraft including the same RSA public key, similar naming conventions, and use of a compromised GitHub service account to redirect tags to attacker-controlled code. The malware used the domain checkmarx.zone, attempted token theft and exfiltration, and could create docs-tpcp repositories with stolen GITHUB_TOKEN credentials as a fallback channel.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Checkmarx discloses AST Scanner Jenkins plugin marketplace compromise
On 2026-05-09, an unauthorized modified version of Checkmarx's AST Scanner Jenkins plugin was published to the Jenkins Marketplace, creating a supply-chain risk for Jenkins CI environments. Checkmarx warned customers not to trust versions published as of that date and advised verifying use of known-good version 2.0.13-829.vc72453fa_1c16.
Checkmarx says stolen GitHub repository data was published on the dark web
On 2026-04-26, Checkmarx said a cybercriminal group had published company-related data on the dark web and that forensic evidence indicated the data came from a GitHub repository accessed through the initial March 23 supply-chain attack. The company said it locked down access to the affected repository, stated it was separate from the customer production environment, and continued investigating whether any customer information was involved.
Checkmarx issues official advisory on April tooling supply-chain incident
On 2026-04-23, Checkmarx published an official security update confirming malicious artifacts had briefly appeared across multiple public distribution channels on April 22, including DockerHub KICS images, ast-github-action, the VS Code AST Results extension, and Developer Assist. The company said it removed the artifacts, rotated credentials, blocked attacker infrastructure, launched a third-party forensic investigation, and advised customers on safe versions, domains/IPs to block, and secret rotation if compromise was suspected.
Reporting links April Checkmarx tooling compromise to TeamPCP
On 2026-04-23, reporting on the Checkmarx Docker and extension supply-chain compromise linked the broader campaign to TeamPCP and said the actor appeared to claim responsibility on X. This extended TeamPCP attribution beyond the earlier March KICS GitHub Action incident to the April Docker and extension tampering activity.
Bissa operation tied to Telegram identities; victims and law enforcement notified
On 2026-04-22, researchers linked the Bissa activity to Telegram handle @BonJoviGoesHard, display name "Dr. Tube," and bots including @bissapwned_bot and @bissa_scan_bot. The report said affected victims were notified, law enforcement was engaged, and the exposed server IP was withheld because of the sensitivity of the recovered data.
Researchers uncover exposed Bissa scanner exploitation infrastructure
On 2026-04-22, The DFIR Report disclosed an exposed server tied to the Bissa scanner platform and a large-scale operation exploiting React2Shell (CVE-2025-55182). Recovered artifacts showed millions of scans, more than 900 confirmed compromises, tens of thousands of harvested .env files, and AI-assisted workflows used to troubleshoot and prioritize victims.
Socket links broader Checkmarx tooling compromise and discloses findings
On 2026-04-22, Socket said evidence suggested the Checkmarx incident extended beyond Docker Hub to other distribution channels, including KICS-related VS Code extension versions 1.17.0 and 1.19.0 that could fetch and execute a remote addon from GitHub without integrity checks. Socket said it disclosed its findings to Checkmarx and that the investigation was ongoing.
Socket identifies malicious KICS Docker images in official Docker Hub repo
By 2026-04-22, Socket reported a suspected supply-chain compromise in Checkmarx’s official checkmarx/kics Docker Hub repository after Docker detected malicious image activity. Attackers had reportedly overwritten legitimate tags such as v2.1.20 and alpine, added a fake v2.1.21 tag, and distributed a modified KICS binary capable of collecting and exfiltrating scan data.
Wiz attributes KICS GitHub Action compromise to TeamPCP
On 2026-03-23, Wiz assessed with high confidence that TeamPCP was behind the KICS GitHub Action supply-chain attack, citing shared naming conventions and the same RSA public key seen in the earlier Trivy GitHub Action compromise. Wiz also documented new attacker tradecraft including the checkmarx.zone C2 domain, docs-tpcp repository exfiltration, and Kubernetes-focused persistence code.
Malicious KICS GitHub Action is reported and repository is taken down
Later on 2026-03-23, a user reported the KICS GitHub Action compromise and the repository was taken down at 16:50 UTC. It was subsequently reinstated after maintainers said the issue had been resolved.
TeamPCP compromises KICS GitHub Action tags via Checkmarx service account
On 2026-03-23, attackers using a compromised GitHub service account, cx-plugins-releases, repointed 35 Checkmarx KICS GitHub Action tags to malicious commits staged on a fork. The tampered action delivered credential-stealing malware to users pinned to affected version tags during an exposure window of roughly four hours.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged
theregister.com
Open sourceCheckmarx Security Update: April 26
checkmarx.com
Open sourceCheckmarx Docker Hub repository compromised with malicious images | brief | SC Media
scworld.com
Open sourceCheckmarx Security Update: April 22
checkmarx.com
Open sourceMalicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain
thehackernews.com
Open sourceBissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting - The DFIR Report
thedfirreport.com
Open sourceMalicious Checkmarx Artifacts Found in Official KICS Docker ...
socket.dev
Open sourceKICS GitHub Action Compromised: TeamPCP Supply Chain Attack | Wiz Blog
wiz.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Supply Chain Attack Trojans Checkmarx Artifacts and Bitwarden CLI Package
A supply chain attack compromised multiple **Checkmarx** distribution channels, including **KICS Docker images**, the **Checkmarx VS Code extension**, and the `ast-github-action` GitHub Action, with the malicious artifacts built to collect, encrypt, and exfiltrate secrets from affected environments. Reporting linked the activity to **TeamPCP**, which publicly claimed responsibility, and described the campaign as distinct from an earlier March incident involving Checkmarx. The activity later expanded to the **Bitwarden CLI** ecosystem, where a malicious version of the npm package `@bitwarden/cli` was briefly published. The trojanized VS Code extensions were also reported to target **npm tokens**, raising the risk of follow-on supply chain compromise, while some malicious Docker images were removed by about **18:20 UTC** on April 22; however, the compromised extensions reportedly remained available on **OpenVSX** into April 23.
Jun 8, 2026
TeamPCP Supply-Chain Attacks Poisoned Trivy, KICS, LiteLLM, Telnyx, and Bitwarden
A broad software supply-chain campaign attributed to **TeamPCP** compromised trusted developer and security tools, beginning with a poisoned **Trivy GitHub Action** after attackers allegedly stole a personal access token via a misconfigured `pull_request_target` workflow. Researchers said malicious commits were pushed to most Trivy action tags, allowing the attackers to steal CI/CD secrets, cloud credentials, SSH keys, Kubernetes configuration, and other sensitive data from downstream users. The campaign then spread through stolen credentials to additional projects, including **Checkmarx KICS**, **LiteLLM** versions `1.82.7` and `1.82.8` on PyPI, the **Telnyx SDK**, and later **Bitwarden CLI**, with malware exfiltrating data to attacker-controlled infrastructure such as `checkmarx[.]zone` and `models[.]litellm[.]cloud`. Reporting also tied the operation to hundreds of compromised systems and large-scale theft of `.env` files and secrets from cloud, AI, payment, database, and messaging environments. The fallout expanded beyond package poisoning into downstream intrusions and data leaks. **Checkmarx** confirmed that data later leaked by **LAPSUS$** came from its private GitHub repository and said the initial access was likely enabled by credentials exposed in the Trivy-related compromise; researchers also linked the broader campaign to **Bitwarden** through shared malware and command-and-control patterns. Malicious KICS Docker images, GitHub Actions, and editor extensions were reported to steal credentials and scan results, while Bitwarden’s CI/CD workflow was allegedly abused to expose an npm token and publish a tainted `@bitwarden/cli` release. Security researchers and vendors warned that the campaign shows how attackers are increasingly targeting open-source maintainers and security tooling as high-leverage entry points, with reported ties to extortion and ransomware groups including **LAPSUS$** and **Vect** raising the risk that stolen access will be resold or used for follow-on attacks.
Jun 10, 2026
Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the **Bun** JavaScript runtime, read memory from the GitHub Actions `Runner.Worker` process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain `t.m-kosche[.]com`; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner. The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent **Mini Shai-Hulud** activity targeting npm packages in the `@antv` ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
May 19, 2026