Checkmarx KICS (Infrastructure-as-Code scanner) was trojanized by the TeamPCP threat actor group as part of the supply chain campaign documented in SCC-CAM-2026-0121; no CVE has been assigned. Organizations using KICS in CI/CD pipelines should suspend automated pulls, verify package integrity against a known-good hash baseline, and rotate all credentials accessible to affected build environments. Specific affected versions have not been confirmed from available sources — validate against official Checkmarx advisories before resuming use.