Checkmarx KICS tool compromised in supply-chain attack

Hackers have executed a supply-chain attack against the Checkmarx KICS infrastructure security scanner, compromising its official Docker images and VSCode extensions. The malicious artifacts, active for about 90 minutes on April 22, 2026, were designed to steal a wide range of developer credentials, including GitHub tokens, cloud service keys, and SSH keys, exfiltrating the data to fake domains. Checkmarx has removed the compromised artifacts and is investigating with external experts, while developers who used the tools during the compromise window are urged to rotate all secrets and rebuild their environments.