CRITICAL SECURITY ADVISORY: Repository compromised - Malware injected in all Git Tags

[cyril-flieller]

I have identified that this repository has been compromised. A malicious script has been injected into all existing Git tags. While the master branch currently appears clean, every release tag now points to a malicious commit that was not authored by the original maintainers.

The injected code is a sophisticated Infostealer designed to:

• Steal Secrets: Scans for AWS, Azure, GCP credentials, SSH keys, and Kubernetes tokens

• Memory Dump: Extracts secrets directly from the RAM of CI/CD runners (targeting Runner.Worker)

• Exfiltrate Data: Encrypts stolen data and sends it to an external server (checkmarx.zone) or creates a hidden release in a rogue repository using the victim's GITHUB_TOKEN

• Persistence: Attempts to install a backdoor via a systemd service (sysmon) and deploy privileged pods in Kubernetes clusters

➡️ https://github.com/Checkmarx/kics-github-action/blob/v2.1.20/setup.sh

[cyril-flieller]

@cx-artur-ribeiro

[cx-artur-ribeiro]

We are currently investigating the issue, thanks for the warning!
We will make the necessary changes as soon as possible!

[cx-bruno-silva]

The issue is resolved now.

[riuvshyn]

hello, do we know when malicious versions were deployed?

[yverry]

Today around 12:00 CET
A clear communication is needed