VERY IMPORTANT

The KICS GitHub Action, an open-source infrastructure as code security scanner by Checkmarx, was compromised by TeamPCP, the group behind the recent Trivy attack. Between 12:58 and 16:50 UTC on March 23, 35 tags were hijacked, exposing users to credential-stealing malware. The attack involved staging imposter commits and updating tags using a compromised identity. The malware uses a new C2 domain, creates a fallback repository, and adds Kubernetes-focused persistence code. Additionally, two OpenVSX extensions were compromised. The payload targets cloud provider credentials and installs persistence on non-CI systems. Security teams are advised to audit workflows, search for exfiltration artifacts, and implement long-term hardening measures.