Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit

APPLICATION SECURITY CYBER RISK THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit TeamPCP is the likely cyber threat actor behind attacks on Trivy, Checkmarx's KICS and VS Code plug-ins, and the LiteLLM AI library — and all signs point to more attacks to come. Jai Vijayan,Contributing Writer March 24, 2026 5 Min Read SOURCE: IMAGEFLOW VIA SHUTTERSTOCK Hard on the heels of a broad supply chain attack that impacted the Aqua Security-maintained Trivy open source security-scanner project, Checkmarx on Tuesday disclosed that attackers had compromised a version of Keeping Infrastructure as Code Secure (KICS), the open source static code analysis project that it develops and maintains. Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. Any organization that had its automated CI/CD pipelines configured to run the KICS GitHub Action during a four-hour window on the morning of March 23 could potentially be impacted, Checkmarx said. The same day, threat actors also published malicious versions of two of the Checkmarx VS Code plug-ins to the OpenVSX registry, where they were available for download for a period of about three hours on March 23.   Related:How AI Coding Tools Crushed the Endpoint Security Fortress News of the attacks follow just days after Aqua Security first reported an attack where a threat actor used a previously stolen privileged access credentials to poison 76 of 77 previously released versions of Trivy's GitHub Action with an infostealer. The same threat actor also exploited a compromised automated service account to publish two compromised Docker Images. At least one security vendor has attributed the malware used in the Trivy and the Checkmarx attacks to TeamPCP, a threat actor that is gaining attention for its automated attacks on cloud infrastructure, many of which involve credential theft. And there appear to be other supply chain targets as well.  A Broadening Supply Chain Attack GitGuardian on Tuesday reported that the campaign had spread to the PyPI software registry, where the threat actor it identifies as TeamPCP had infected Litellm packages versions 1.82.7 and 1.82.8 with the same infostealer malware used in the Trivy campaign.  The infostealer in the poisoned versions of Litellm, which the maintainers of PyPI have now removed, enables a full range of credential theft, including lifting SSH keys and cloud credentials, API tokens, Docker configurations, information tied to crypto wallets, and more, GitGuardian said. Many organizations use Litellm to build AI-powered applications, so the potential impact could be wide.  "Litellm is downloaded millions of times a day and it is highly likely that the blast radius is significant, despite PyPI’s quick response in removing the malicious package," Guillaume Valadon, cybersecurity researcher at GitGuardian, tells Dark Reading. Related:GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead For organizations, the message is clear, Valadon says: "Attackers are after your secrets. When it comes to incident response, the key now is to have a real-time inventory of compromised secrets so you can revoke them in an instant, thereby neutralizing the threat posed by these supply chain attacks using infostealers." Attackers Are After Developer Secrets Checkmarx has so far not disclosed full details of the compromise involving the two malicious VS Code plug-ins or the one involving KICS GitHub Action, beyond saying they're linked. The company has not, for instance, provided details on the malicious payload. But its recommendation that automated build pipelines, which might have touched the infected plug-ins, immediately rotate all credentials, access keys, and login credentials, suggests the payload is an infostealer. In response to a Dark Reading request, a Checkmarx spokesman said via email that the company has already communicated details of the incident to customers in addition to its public disclosure. "[Checkmarx is] in the process of adding an update that the malicious artifacts have been removed from Open VSX. We continue our active investigation and will share more as we have it," the statement read.  Related:Trivy Supply Chain Attack Targets CI/CD Secrets According to GitGuardian's Valadon, there is little doubt that the attacks involving Aqua's Trivy, Checkpoint's VS Code plug-ins, KICS GitHub Action, and Litellm are all related. "They share similar indicators of compromise (IoCs), such as the public key used for exfiltration, the targeted services and files, as well as the persistence technique," he says. Meanwhile, a message left by the attackers, which is a link to the Queen video "The Show Must Go On," "suggests that this is only the beginning." The TeamPCP Cyber Threat Set to Grow Wiz Research, which is independently tracking the campaign, has also attributed the activity to TeamPCP, saying its telemetry also points to a common threat actor behind the Trivy, Checkmarx, and LiteLLM compromises. The company believes that TeamPCP has begun collaborating with the notorious LAPSUS$ extortion group to "perpetuate the chaos." "This isn't just credential stealing; it’s an ecosystem-wide 'cascade' targeting the modern cloud-native and AI stack," Ben Read, a lead researcher at Wiz, said in a statement. Wiz's researcher has shown liteLLM is present in 36% of all cloud environments, he said.  "By targeting security scanners and AI tools, this campaign gains a foothold in the most sensitive parts of the development life cycle," he explained. "Public Telegram messages from the actors warn of a 'snowball effect' and future targets across favorite open-source projects." In separate comments to Dark Reading, Read says the attack involving OpenVSX plug-ins were also part of the same campaign because they involve the use of the same code and public key: "The actors have said they are partnering with different organizations, likely to carry out extortions, but we have not confirmed that this has happened yet." About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY OWASP Highlights Supply Chain Risks in New Top 10 List by Jai Vijayan, Contributing Writer NOV 10, 2025 APPLICATION SECURITY It Takes Only 250 Documents to Poison Any AI Model by Jai Vijayan, Contributing Writer OCT 22, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE