CRITICAL 3 min read 24 Apr 2026

GitLab EE/CE — Coordinated Advisories and Immediate Patches Required

High-severity vulnerabilities in GitLab Enterprise Edition and Community Edition have triggered coordinated advisories from NCSC-NL and BSI CERT-Bund. Patches are available immediately. All self-hosted GitLab operators must apply updates without delay.

Key findings
01
GitLab EE/CE: Coordinated UK/EU High-Severity Vulnerabilities
HIGH
[High] On 2026-04-23, both NCSC-NL (the Dutch national cybersecurity centre) and BSI CERT-Bund (Germany's federal IT security authority) released coordinated high-severity vulnerability advisories for GitLab Enterprise Edition and Community Edition.
02
China-Nexus Covert Networks: 16-Nation Government Advisory
HIGH
[High] NCSC UK and 16 allied government cybersecurity agencies issued a joint advisory on a Chinese state actor building massive proxy networks from compromised consumer and OT devices. This is not the APT28 work from before. It's a different threat, different scale, different victims.
APT28
03
Checkmarx KICS: Supply-Chain Compromise and Developer Credential Harvesting
MEDIUM
[Medium] For 84 minutes on 2026-04-22 (14:17:59–15:41:31 UTC), malicious Checkmarx KICS Docker images and extensions sat on Docker Hub and the VSCode marketplace. The code inside them harvested developer credentials: GitHub tokens, cloud credentials, SSH keys, npm tokens, and local config files.

GitLab EE/CE — Coordinated Advisories and Immediate Patches Required

GitLab EE/CE: Coordinated UK/EU High-Severity Vulnerabilities

Confidence: High

On 2026-04-23, both NCSC-NL (the Dutch national cybersecurity centre) and BSI CERT-Bund (Germany's federal IT security authority) released coordinated high-severity vulnerability advisories for GitLab Enterprise Edition and Community Edition. The advisories reference WID-SEC-2026-1245 (BSI) and NCSC-2026-0128 (NCSC-NL), and confirm that patches are available for immediate deployment.

Two Tier-0 European authorities coordinating advisories is not routine. This signals a serious vulnerability affecting development infrastructure at scale. If you're running self-hosted GitLab, especially in a CI/CD pipeline role, treat this as your priority for today.

Start here:

1. Inventory all your self-hosted GitLab instances and note their versions.

2. Patch to the latest release today. Do not wait.

3. Check your logs for suspicious activity in the pre-patch period.

The advisory moved fast and the patch came fast. That tells you something about how seriously the European security community views this one.

Checkmarx KICS: Supply-Chain Compromise and Developer Credential Harvesting

Confidence: Medium

For 84 minutes on 2026-04-22 (14:17:59–15:41:31 UTC), malicious Checkmarx KICS Docker images and extensions sat on Docker Hub and the VSCode marketplace. The code inside them harvested developer credentials: GitHub tokens, cloud credentials, SSH keys, npm tokens, and local config files.

Checkmarx confirmed it publicly. The bad images are gone from Docker Hub now. But if your CI/CD pipeline ran KICS v2.1.21 during that 84-minute window, assume your credentials are compromised.

What to do if you pulled it:

1. Check if any of your CI/CD systems ran v2.1.21 during those 84 minutes (check your Docker image logs).

2. Rotate all credentials that KICS had access to: GitHub tokens, cloud keys, SSH keys, npm, local configs. All of it.

3. Search your git logs and CI/CD history for unexpected changes during and just after that window.

4. Check your cloud provider logs for suspicious resource creation or data moves.

5. Verify the digest of your current KICS image against Checkmarx's published hash.

This matters because IaC scanning tools run with high privileges and see your credentials and infrastructure code. A compromised scanner becomes a direct bridge into your development environment and, from there, into production.

China-Nexus Covert Networks: 16-Nation Government Advisory

Confidence: High

NCSC UK and 16 allied government cybersecurity agencies issued a joint advisory on a Chinese state actor building massive proxy networks from compromised consumer and OT devices. This is not the APT28 work from before. It's a different threat, different scale, different victims. The actor is using botnet proxy infrastructure to hide its activity and stay invisible.

  • What this means:
  • If you run critical infrastructure or work with government, this actor is interested in you.
  • Compromised consumer routers, IoT kit, and industrial control gear can become attack vectors into your network. Your defences can't stop at the enterprise boundary.
  • You need visibility into what third-party devices connect to your network and how.

NCSC UK has published mitigation guidance. Read it if you're in CNI or have government contracts. For everyone else: this is a heads-up that state-level actors are building persistent infrastructure at scale.

Why This Matters

Two separate attack vectors on your development pipeline converge today: vulnerabilities in your version control system, and a compromised scanning tool that harvests credentials. These are not theoretical. They need action today. The China-nexus advisory reminds us that state actors are patient and systematic: they build infrastructure, find supply-chain exploits, and use them to stay inside high-value targets for years.

  • Recommended Actions
  • Today: Patch GitLab. Audit logs for pre-patch access.
  • Today: If you use KICS, check whether v2.1.21 ran in your pipeline during those 84 minutes. If yes: rotate credentials.
  • This week: Read the NCSC advisory on China-nexus networks. Ask yourself: what consumer or OT gear connects to my network? Do I have visibility into it?

All findings grounded in A13E intelligence sweeps through 06:30 UTC 24 April 2026.

apt28criticalgitlabncsc-2026-0128patch-availablewid-sec-2026-1245

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed