Checkmarx KICS Code Scanner Hit in Widening Supply Chain

Checkmarx said on Tuesday that attackers had broken into a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project that it develops and maintains This article explores hackers got kics. . This came right after a wide-ranging supply chain attack that affected the Aqua Security-maintained Trivy open source security-scanner project.

The hackers got into KICS GitHub Action, which companies use to run KICS scans in their CI/CD pipelines, and infected several versions of the software. Checkmarx said that any company that had set up its automated CI/CD pipelines to run the KICS GitHub Action for four hours on the morning of March 23 could be affected.

On the same day, threat actors also uploaded bad versions of two Checkmarx VS Code plug-ins to the OpenVSX registry. These plug-ins were available for download for about three hours on March 23. Related: How AI Can Help You Code The news of the attacks came just days after Aqua Security first reported an attack in which a hacker used stolen privileged access credentials to poison 76 of 77 previously released versions of Trivy's GitHub Action with an infostealer.

Related: The Trivy Supply Chain Attack Aims at CI/CD Secrets A link to the Queen video "The Show Must Go On" that the attackers left behind "suggests that this is only the beginning." ## The TeamPCP Cyber Threat Set to Grow Wiz Research, which is independently tracking the campaign, has also linked the activity to TeamPCP. They say that their telemetry also points to a single threat actor behind the Trivy, Checkmarx, and LiteLLM compromises.

The company thinks that TeamPCP has started working with the infamous LAPSUS$ extortion group to "keep the chaos going." Ben Read, a lead researcher at Wiz, said in a statement, "This isn't just credential stealing; it's an ecosystem-wide 'cascade' targeting the modern cloud-native and AI stack."

He said that Wiz's researcher found that liteLLM is present in 36% of all cloud environments. "This campaign gets a foothold in the most sensitive parts of the development life cycle by going after security scanners and AI tools," he said. "Public Telegram messages from the actors warn of a 'snowball effect' and future targets across favorite open-source projects."

Read told ZeroOwl in separate comments that the attack that used OpenVSX plug-ins was also part of the same campaign because it used the same code and public key: "The actors have said they are working with different organizations, probably to carry out extortions, but we have not confirmed that this has happened yet."