GitHub PATs harvested from the Trivy intrusion were used to force-push malicious tags on checkmarx/kics-github-action. Different domains than the Trivy wave, so tag-pinning and domain-reputation defenses missed it. Sysdig caught the behavioural signature: CI runners uploading encrypted blobs to unexpected endpoints.
← Findings
Checkmarx KICS Action compromised via stolen Trivy tokens
GitHub PATs harvested from the Trivy intrusion used to force-push malicious tags on checkmarx/kics-github-action. Different domains than the Trivy wave, so tag-pinning missed it.