All Git tags in the Checkmarx/kics-github-action repository have been compromised with an infostealer injected into setup.sh. Any CI/CD workflow referencing the KICS Action by version tag (e.g., @v2.1.7, @latest) is executing attacker-controlled code. The malware steals cloud credentials (AWS, Azure, GCP), SSH keys, Kubernetes tokens, dumps runner process memory, exfiltrates data to a spoofed domain, and installs persistence via systemd backdoor and privileged Kubernetes pods. Immediate actions: stop using the action by tag, rotate all CI/CD secrets, and pin to verified commit SHAs going forward.
Table of contents
SummaryImmediate Actions RequiredWhat We Know from the Original AdvisoryThis Story Is DevelopingAcknowledgementReferenceSort: