Summary
On March 23, 2026, a critical security advisory was filed reporting that all Git tags in the Checkmarx/kics-github-action repository have been compromised with a malicious infostealer injected into setup.sh. The master branch appears clean, but all release tags point to malicious commits, which means any workflow referencing the KICS Action by version tag (e.g., @v2.1.7, @v1.7.0, or @latest) is executing attacker-controlled code.
The GitHub issue and the Checkmarx/kics-github-action repository are no longer available.
Update: The repository is back online.
KICS (Keeping Infrastructure as Code Secure) is Checkmarx's open-source IaC scanner, widely used in enterprise CI/CD pipelines for scanning Terraform, Kubernetes, Docker, CloudFormation, and other infrastructure-as-code files.
This attack follows the same tag-poisoning pattern seen in recent GitHub Actions supply chain compromises, including the Trivy GitHub Actions compromise last week.
Immediate Actions Required
If you are using Checkmarx/kics-github-action in any workflows:
1. Stop using the Action by version tag
Remove or disable any workflow referencing checkmarx/kics-github-action by version tag until Checkmarx confirms the tags have been restored.
2. Rotate all secrets
Treat every secret accessible to your CI/CD workflows as compromised: cloud provider credentials (AWS, Azure, GCP), SSH keys, Kubernetes tokens, database credentials, API keys, Docker registry credentials, and GitHub PATs.
3. Pin to commit SHAs going forward
When the Action is restored to a safe state, always pin to a full commit SHA:
# SAFE - immutable reference
uses:
checkmarx/kics-github-action@<verified-safe-commit-sha>What We Know from the Original Advisory
Before the GitHub issue and repository were taken offline, the GitHub issue described the following:
The malicious payload injected into setup.sh across all release tags performed four distinct operations:
Credential theft: The malware targeted cloud provider credentials across AWS, Azure, and GCP, along with SSH keys and Kubernetes service account tokens.
CI/CD runner memory dumps: The payload performed memory dumps of CI/CD runner processes, a technique consistent with recent supply chain attacks where attackers read /proc/<pid>/mem to extract secrets stored in the GitHub Actions Runner.Worker process memory.
Encrypted exfiltration: Stolen data was encrypted and exfiltrated to checkmarx[.]zone, an attacker-controlled domain designed to impersonate the legitimate Checkmarx brand.
Persistence mechanisms: The malware attempted to maintain access through a systemd backdoor and by deploying privileged Kubernetes pods in environments where cluster credentials were available.
This Story Is Developing
We are actively investigating this compromise and will continue updating this post as more information becomes available.
Acknowledgement
Credit to GitHub user cyril-flieller for discovering and reporting this compromise.
Reference
