CP
cyberpings
Threat IntelHIGH

Supply Chain Attack - KICS GitHub Action Compromised

WIWiz Blog
📰 2 sources·Summary by CyberPings Editorial·AI-assisted·Reviewed by Rohit Rana
Updated:
🎯

Basically, a security tool on GitHub was hacked, putting users' data at risk.

Quick Summary

The KICS GitHub Action was compromised in a supply chain attack by TeamPCP. Users of the affected tags are at risk of credential theft. Immediate audits are crucial to ensure security.

What Happened

On March 23, 2026, the KICS GitHub Action, a security scanner developed by Checkmarx, fell victim to a credential-stealing malware attack orchestrated by the group known as TeamPCP. This incident occurred between 12:58 and 16:50 UTC, during which 35 tags were compromised. Users who had pinned their workflows to these tags unknowingly executed the malicious code. The repository was taken down shortly after a user reported the issue to the maintainers. However, it was reinstated later that day with the maintainers claiming the problem was resolved.

This attack marks the second time in a week that TeamPCP has targeted a widely used open-source security scanner. The group employed similar tactics to those used in the recent Trivy incident, indicating a pattern in their approach to supply chain attacks.

Who's Being Targeted

The KICS GitHub Action is an open-source tool designed for Infrastructure as Code security scanning. While it has a smaller user base compared to Trivy, its adoption in both public and private sectors makes it a significant target. Users who rely on KICS for security assessments could be at risk, particularly those who used the compromised tags in their workflows. The attack could potentially expose sensitive data and credentials from affected repositories.

Tactics & Techniques

The attack was executed through a compromised service account, specifically the cx-plugins-releases account, which was responsible for publishing the malicious tags. TeamPCP staged imposter commits on a fork of the KICS repository, embedding their payload. They then updated the tags to point to these malicious commits. The malware introduced several new features, including a new command-and-control (C2) domain and a fallback mechanism that creates a repository named docs-tpcp using the victim's GITHUB_TOKENs. This allows the attackers to maintain persistence even if their primary C2 is disrupted.

Defensive Measures

To mitigate the risks associated with this incident, security teams should take immediate action. First, they should audit their GitHub Actions workflows that reference the kics-github-action. If any versions of the action were used during the exposure window, teams should check their workflow run logs for signs of compromise. Additionally, organizations should search for any repositories named docs-tpcp, as these may indicate successful exfiltration of data. For ongoing guidance, users are encouraged to monitor advisories from security firms like Wiz and implement best practices for securing GitHub Actions.

🔒 Pro insight: This incident underscores the persistent threat of supply chain attacks, highlighting the need for robust auditing and monitoring of open-source dependencies.

Original article from

WIWiz Blog
Read Full Article

Also covered by

DADark Reading

Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit

Read Article
THThe Hacker News

TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

Read Article

Share

Related Pings

MEDIUMThreat Intel

Researchers Roast Cybercriminals to Diminish Their Glamour

Researchers are roasting cybercriminals to diminish their glamor. This humorous approach aims to expose their failures and fracture trust within criminal networks. It's a fresh take on cybersecurity, focusing on education and awareness.

The Register Security·
HIGHThreat Intel

Node.js Maintainers Targeted - Sophisticated Social Engineering Scheme

A coordinated social engineering scheme is targeting Node.js developers, risking the integrity of widely used software packages. This alarming trend highlights the need for vigilance in the open-source community.

Cyber Security News·
HIGHThreat Intel

Transparent Tribe Targets India's Startup Ecosystem - New Threat

Acronis reveals that Transparent Tribe is now targeting India's startup sector, especially cybersecurity firms. This shift raises concerns about espionage and data security risks. Startups must bolster their defenses against these sophisticated attacks.

CyberWire Daily·
HIGHThreat Intel

Gaming Industry - High-Stakes Cybersecurity Threats Explained

Cybercriminals are increasingly targeting the gaming industry, driven by financial transactions and sensitive data. As casinos go digital, understanding these threats is vital for operators to safeguard their assets.

Cyber Security News·
HIGHThreat Intel

China-Linked TA416 Targets European Governments with Phishing

TA416, a China-aligned threat actor, is targeting European governments with sophisticated phishing campaigns using PlugX malware. This poses significant risks to diplomatic security. Stay informed to safeguard your organization.

The Hacker News·
HIGHThreat Intel

Spear-Phishing Campaign Neutralizes MFA for Executives

A new spear-phishing campaign is targeting senior executives, neutralizing MFA protections. This poses serious risks to corporate security. Organizations must enhance their defenses against such sophisticated threats.

SC Media·