appsec.fyi — checkov

appsec.fyi — checkov https://appsec.fyi/tools.html#checkov Curated checkov resources from appsec.fyi en-us Sat, 27 Jun 2026 16:05:50 +0000 carl@chs.us (Carl Sampson) KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack https://wiz.io/blog/teampcp-attack-kics-github-action https://wiz.io/blog/teampcp-attack-kics-github-action Writeup detailing a supply chain attack on the Checkmarx KICS GitHub Action by TeamPCP, compromising 35 tags and distributing credential-stealing malware via a `setup.sh` script. The attack, similar to the Trivy incident, leverages compromised identities and hardcoded RSA keys, with a new Kubernetes persistence mechanism for follow-on operations. The malware exfiltrates secrets from environment variables, runner memory, AWS metadata, and Kubernetes API, encrypting them and uploading them to GitHub repositories or attacker-controlled domains. checkov news Wed, 10 Jun 2026 06:01:31 +0000 Analyzing TeamPCPs Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html Library analyzing TeamPCP's supply chain attacks, specifically the Checkmarx KICS and elementary-data incidents. The campaign leverages CI/CD and release workflows to steal credentials like GitHub PATs, npm tokens, and cloud secrets. Techniques include multichannel poisoning across Docker Hub, VS Code extensions, and GitHub Actions, as well as GitHub Actions script injection to produce malicious packages signed by legitimate CI, targeting ecosystems like PyPI and GHCR. checkov news Thu, 14 May 2026 07:35:38 +0000 Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html Writeup of supply chain attacks targeting Checkmarx, detailing malicious KICS Docker images and VS Code extensions. Threat actors overwrote Docker Hub tags and introduced compromised versions of the `cx-dev-assist` and `ast-results` extensions. The compromised artifacts exfiltrated GitHub tokens, AWS and Azure credentials, and SSH keys to external endpoints. These attacks, potentially by TeamPCP, leveraged stolen credentials to inject malicious GitHub Actions workflows and republish npm packages, creating further propagation paths. checkov news Wed, 22 Apr 2026 19:10:32 +0000