Hackers Compromise Checkmarx KICS Tool to Harvest Developer Credentials
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — Hackers have compromised Docker images and software extensions for a popular code security tool, gaining unauthorized access to sensitive developer credentials and cloud keys worldwide.
The attack targeted Checkmarx KICS, a static analysis tool used to scan infrastructure code for security vulnerabilities. Attackers injected malicious code into the tool's Docker images and Visual Studio Code extensions hosted on the Open VSX registry. The compromised software was designed to exfiltrate sensitive data from the environments where it was installed.
The intrusion was detected on April 23, 2026. Security researchers identified that the malicious code was configured to harvest GitHub tokens, cloud service credentials, SSH keys, and environment variables from developer workstations. The scope of the breach is global, affecting developer environments wherever the compromised versions of the tool were deployed.
Checkmarx, a subsidiary of Broadcom, has not yet issued a public statement regarding the incident. The company's security team is reportedly investigating the extent of the compromise and working to remove the malicious code from its repositories. Developers are advised to immediately uninstall the affected versions of the KICS tool and rotate any credentials that may have been exposed.
The attack bears hallmarks of the cybercriminal group known as TeamPCP, though attribution remains unconfirmed. TeamPCP has a history of targeting software supply chains to steal credentials and intellectual property. The group typically operates by compromising legitimate software packages to distribute malware to unsuspecting users.
The incident highlights the growing risks associated with software supply chain attacks. By targeting a security tool, the attackers exploited the trust developers place in software designed to protect their code. The breach underscores the need for organizations to verify the integrity of all software components before deployment.
Security experts warn that the stolen credentials could be used to access corporate networks, cloud infrastructure, and source code repositories. The attackers may have already used the harvested data to launch further attacks or sell the information on dark web marketplaces.
The full extent of the damage remains unclear. It is unknown how many developers were affected or how long the malicious code remained in the software supply chain before detection. Checkmarx has not disclosed whether the attackers successfully exfiltrated any data or if the compromised versions were widely distributed.
As the investigation continues, cybersecurity firms are monitoring for signs of further exploitation. The incident serves as a stark reminder of the vulnerabilities inherent in modern software development practices and the critical importance of supply chain security.