We have identified that this repository has been compromised. A malicious script has been injected into all existing Git tags. While the master branch currently appears clean, every release tag now points to a malicious commit that was not authored by the original maintainers.
The injected code is a sophisticated Infostealer designed to:
-
Steal Secrets: Scans for AWS, Azure, GCP credentials, SSH keys, and Kubernetes tokens
-
Memory Dump: Extracts secrets directly from the RAM of CI/CD runners (targeting Runner.Worker)
-
Exfiltrate Data: Encrypts stolen data and sends it to an external server (checkmarx.zone) or creates a hidden release in a rogue repository using the victim's GITHUB_TOKEN
-
Persistence: Attempts to install a backdoor via a systemd service (sysmon) and deploy privileged pods in Kubernetes clusters
➡️ https://github.com/Checkmarx/kics-github-action/blob/v2.1.20/setup.sh
We have identified that this repository has been compromised. A malicious script has been injected into all existing Git tags. While the master branch currently appears clean, every release tag now points to a malicious commit that was not authored by the original maintainers.
The injected code is a sophisticated Infostealer designed to:
Steal Secrets: Scans for AWS, Azure, GCP credentials, SSH keys, and Kubernetes tokens
Memory Dump: Extracts secrets directly from the RAM of CI/CD runners (targeting
Runner.Worker)Exfiltrate Data: Encrypts stolen data and sends it to an external server (
checkmarx.zone) or creates a hidden release in a rogue repository using the victim'sGITHUB_TOKENPersistence: Attempts to install a backdoor via a systemd service (
sysmon) and deploy privileged pods in Kubernetes clusters➡️ https://github.com/Checkmarx/kics-github-action/blob/v2.1.20/setup.sh