Developer environments using KICS data exposed after Checkmarx breach
Data Leak
Summary
Hide ▲
Show ▼
The compromised Checkmarx KICS toolchain was used to exfiltrate GitHub tokens, cloud credentials, and other secrets from developer environments, creating immediate account-takeover risk. The stolen data was encrypted and sent to audit.checkmarx[.]cx, with public GitHub repositories automatically created for exfiltration. The malicious DockerHub image was active during 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC. Anyone who pulled the tainted artifacts should assume secrets may be compromised and rotate credentials.
Related Happenings
GitHub hit by network compromise
Incident
First: 20.05.2026 07:01
Last: 20.05.2026 07:01
Sources 1
About this happening:
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
GitHub hit by network compromise
IncidentAbout this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
Latest development: 20.05.2026 13:45
GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
CISA contractor GitHub repository exposed internal credentials
Data Leak
First: 18.05.2026 23:48
Last: 18.05.2026 23:48
Sources 1
About this happening:
A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
CISA contractor GitHub repository exposed internal credentials
Data LeakAbout this happening: A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...
Latest development: 22.05.2026 19:34
On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.
Mistral AI hit by network compromise
Incident
First: 15.05.2026 01:50
Last: 15.05.2026 01:50
Sources 1
About this happening:
Mistral AI disclosed a **codebase management system compromise** tied to the **Mini Shai-Hulud** supply-chain attack, and the intrusion briefly contaminated some **SDK packages**....
Mistral AI hit by network compromise
IncidentAbout this happening: Mistral AI disclosed a **codebase management system compromise** tied to the **Mini Shai-Hulud** supply-chain attack, and the intrusion briefly contaminated some **SDK packages**....
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace
Security Tool/Service
First: 12.05.2026 01:03
Last: 12.05.2026 01:03
Sources 1
About this happening:
A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...
Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace
Security Tool/ServiceAbout this happening: A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...
Timeline
-
23.04.2026 19:05 2 articles · 1mo ago
Developer environments using KICS data exposed after Checkmarx breach
Initial DisclosureThe first visible phase was a trojanized **checkmarx/kics** Docker image on Docker Hub, later linked to compromised **VSCode** and **Open VSX** extensions. That initial delivery path mattered because it reached developer environments that routinely process sensitive infrastructure secrets.
Show sources
- New Checkmarx supply-chain breach affects KICS analysis tool — www.bleepingcomputer.com — 23.04.2026 19:05
- New Checkmarx supply-chain breach affects KICS analysis tool — www.bleepingcomputer.com — 23.04.2026 19:05