checkmarx-kics-github-action
Checkmarx KICS GitHub Action compromised
Attackers gained access to Checkmarx repositories and injected credential-harvesting code into the public KICS GitHub Action. Checkmarx's official March 2026 exposure window controls this record. Third-party analysis described tag poisoning with malicious setup.sh changes, runner-memory and cloud-secret theft, encrypted exfiltration to checkmarx.zone, and attempted systemd or Kubernetes persistence.
- Date
- 2026-03-23
- Category
- Commercial
- Target Surface
- Revision control
- Insertion Phase
- CI/CD
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Package
checkmarx-kics-github-action
LanguageShell
ComponentApplication
Artifact typeaction
Domain typerepository
Domain
github.com
Repository
github.com/Checkmarx/kics-github-action
Compromised Versions
- main during March 2026 exposure window
Incident Context
- Motive
- Credential Theft
- Attribution
- Advanced Persistent Threat
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 0 days
Evidence
Compromised Artifacts
External References
Source Data
Source record: proprietary/checkmarx-ast/meta.yaml