Checkmarx hit again, popular tools spreading credential-stealing malware
Checkmarx has reportedly suffered a second security incident within a month, with attackers injecting credential-stealing malware into widely used developer tools. The compromise has affected popular...
Checkmarx has reportedly suffered a second security incident within a month, with attackers injecting credential-stealing malware into widely used developer tools. The compromise has affected popular distribution channels including Docker Hub and VS Code extensions, raising serious concerns about software supply chain security and developer trust in open-source ecosystems.
Table Of Content
Malware found in widely used developer tools
Security researchers revealed that malicious code was inserted into Checkmarx’s KICS (Keeping Infrastructure as Code Secure) Docker images and VS Code extensions. The infected versions were uploaded using existing trusted tags such as v2.1.20 and latest, meaning developers unknowingly downloaded compromised builds instead of safe ones. Since KICS is downloaded millions of times for infrastructure security scanning, the impact could potentially be widespread across development environments.
Credential theft and data exfiltration risks
The injected malware is designed to steal sensitive developer and cloud credentials, including GitHub tokens, AWS and Azure credentials, Google Cloud access data, SSH keys, and environment variables. It then encrypts and exfiltrates the stolen information to attacker-controlled systems. In some cases, it even pushes stolen data into public repositories under victim accounts, increasing the risk of further exploitation and secondary attacks.
Supply chain impact and developer exposure
Checkmarx tools are widely used in CI/CD pipelines to scan infrastructure-as-code files like Terraform, Kubernetes, and CloudFormation. Security experts warn that any secrets exposed during scans should now be considered compromised. Developers are being urged to rotate credentials, audit GitHub repositories, review npm packages, and check cloud logs for unusual activity as part of incident response measures.
Ongoing supply chain attack campaign
Security analysts suggest the attack may be linked to a threat group known as TeamPCP, which has been targeting software supply chains across ecosystems like GitHub, npm, PyPI, Docker Hub, and OpenVSX since late 2025. This campaign has previously affected other major developer tools, highlighting a growing trend of attackers focusing on trusted open-source infrastructure to spread malware at scale.
