The Checkmarx KICS code scanner has recently been targeted in a new supply chain cyberattack. This incident has raised serious concerns among developers and security experts. It is part of a larger campaign affecting widely used development tools. Researchers have linked this activity to a threat group known as TeamPCP.

Checkmarx logo representing KICS code scanning tool targeted in CI/CD pipeline supply chain attack

The attack mainly focused on the KICS GitHub Action used in CI/CD pipelines. This tool helps developers scan code automatically for security issues. Attackers managed to inject malicious code into certain versions of it. As a result, normal workflows started executing harmful scripts without detection.

The exposure window for this attack was short but very critical. Reports suggest the compromise happened during a limited period on March 23. Any organization using the affected version during that time could be impacted. Since CI/CD pipelines run automatically, the risk spread quickly.

Hacker injecting malicious code into systems representing supply chain attack targeting development tools

At the same time, attackers used another method to reach developers. Malicious versions of Checkmarx-related extensions were uploaded to the OpenVSX registry. These extensions looked normal but contained hidden harmful code. Developers who installed them unknowingly exposed their systems.

This attack follows a pattern seen in earlier supply chain incidents. Similar attacks targeted tools like Trivy using stolen credentials. Instead of exploiting software bugs, attackers misuse trusted access. This makes detection harder and increases the impact significantly.

Digital chain over binary data symbolizing software supply chain vulnerabilities and cyberattack risks

The malware used in this campaign is designed to steal sensitive information. It can collect cloud credentials, API keys, and SSH keys from infected systems. This data is then sent to servers controlled by the attackers. Such information can be used for deeper and more damaging attacks.

Researchers have found that this campaign is spreading across multiple platforms. It has reached ecosystems like the PyPI registry as well. Malicious packages such as compromised versions of LiteLLM have been identified. This shows the attackers are targeting a wide range of developer tools.

Digital padlock over binary background representing cybersecurity protection and data security in software systems

Overall, this incident shows a shift in modern cyberattack strategies. Attackers are now focusing on tools used by many organizations at once. This allows them to scale attacks quickly and efficiently. Experts advise developers to review systems, rotate credentials, and monitor activity closely.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news