KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack

The KICS GitHub Action was compromised on March 23 by the threat actor TeamPCP, who injected credential-stealing malware into multiple released tags using a compromised service account; the malware used a new C2 domain (checkmarx.zone), created a fallback repo (docs-tpcp) for exfiltration, and added Kubernetes persistence. Organizations using kics-github-action should audit workflows, check for repository exfiltration artifacts, and follow hardening guidance to remediate potential exposure.