Checkmarx channels shipped stealers

On April 22, Checkmarx found a second wave of malicious artifacts. This time the scope crossed more official channels: a public KICS DockerHub image, the AST GitHub Action, and both Microsoft Marketplace and OpenVSX releases of Checkmarx IDE extensions.

The Docker image window was short, less than thirty minutes. The extension windows were longer, ending first in the Microsoft marketplace and later in OpenVSX. Checkmarx said older known-safe versions were not overwritten, so the risk sat in new tags, mutable image tags, and auto-update paths that resolved during the exposure windows.

The recommended response matched the payload's job. Block TeamPCP lookalike infrastructure, pin immutable SHAs, review IDE auto-update behavior, and rotate secrets where affected artifacts ran. A scanner image, action, or IDE extension has proximity to source code, credentials, cloud metadata, and deployment material.

Checkmarx later linked the broader incident to credentials obtained after the March supply-chain compromise, reported March 30 repository data exfiltration, and said leaked material appeared on April 25. This record tracks the April artifact distribution wave, not the later disclosure event.

Motive

Credential Theft

Attribution

Group

Cause

Compromised Account Credentials

Transitive

Yes

Actor

TeamPCP

• domaincheckmarx.cx
• domainaudit.checkmarx.cx
• domainupdates.checkmarx.cx
• ip91.195.240.123
• ip94.154.172.43
• ip94.154.172.183
• observableCheckmarx reported March 30 data exfiltration from GitHub repositories.
• observableCheckmarx reported April 25 dark-web publication of data related to Checkmarx.

• Update: Ongoing Checkmarx Supply Chain Security Incidentcheckmarx.com
• Update: Ongoing Checkmarx Supply Chain Security Incidentcheckmarx.com