ACCORDING to Ashish Kurmi, on 23 March 2026 all release tags in the Checkmarx/kics-github-action repository were compromised with a malicious infostealer injected into setup[.]sh, meaning any workflow referencing the Action by a version tag is executing attacker-controlled code. The summary notes that the master branch appears clean, but all release tags point to malicious commits, and the repository and GitHub issue were taken offline, with the repository later returning to being online.
The post urges users to stop using the Action by version tag and to rotate all secrets since CI/CD workflows could have been exposed. It also recommends pinning to a full commit SHA going forward once the Action is restored to a safe state. The malicious payload reportedly performed credential theft across cloud provider credentials, SSH keys, and Kubernetes service account tokens, and exfiltrated data encrypted to an attacker-controlled domain described as checkmarx[.]zone.
KICS, Checkmarx’s open-source IaC scanner, is widely used in enterprise CI/CD pipelines for scanning Terraform, Kubernetes, Docker, and CloudFormation files.