Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
SilverFox Hackers Deploy Go RAT, AV Killer, Kernel Rootkit in ValleyRAT Campaign
July 6, 2026
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Home/CyberSecurity News/Checkmarx KICS Docker Image Compromised to Inject Malware
CyberSecurity News

Checkmarx KICS Docker Image Compromised to Inject Malware

Key Takeaways A sophisticated supply chain attack targeted Checkmarx’s KICS Docker images and VS Code extensions. Threat actors injected malware designed to steal developer credentials, cloud...

Jennifer sherman
Jennifer sherman
April 23, 2026 4 Min Read
47 0

Key Takeaways

  • A sophisticated supply chain attack targeted Checkmarx’s KICS Docker images and VS Code extensions.
  • Threat actors injected malware designed to steal developer credentials, cloud secrets, and API keys.
  • The compromise led to the exfiltration of sensitive Infrastructure as Code (IaC) scan reports and potential abuse of GitHub and npm tokens for further supply chain attacks.
  • Affected components include specific KICS Docker image tags and Checkmarx VS Code extensions (cx-dev-assist and ast-results).
  • Immediate action is required to remove compromised assets, rotate credentials, and audit systems for indicators of compromise.

A significant supply chain attack has been uncovered, impacting the official checkmarx/kics Docker Hub repository and several Checkmarx VS Code extensions. Threat actors successfully pushed malicious images and extension versions, which were engineered to harvest and exfiltrate sensitive developer credentials and infrastructure secrets from compromised environments.

Table Of Content

  • Key Takeaways
  • Trojanized Binaries and Credential Exfiltration
  • VS Code Extensions Also Compromised
  • What You Should Do

The incident came to light on April 22, 2026, when Docker’s internal monitoring systems detected unusual activity surrounding KICS image tags. This triggered an immediate alert to researchers at Socket, who initiated a comprehensive investigation.

The probe revealed that attackers had tampered with existing Docker image tags, specifically overwriting v2.1.20 and alpine. Additionally, a new, unauthorized tag, v2.1.21, was introduced, which lacked any corresponding legitimate upstream release. The full list of affected tags included v2.1.20-debian, v2.1.20, debian, alpine, and latest. All compromised tags have since been reverted to their original, legitimate versions.

KICS, an acronym for Keeping Infrastructure as Code Secure, is a widely adopted open-source tool. It plays a crucial role for DevOps and security teams by scanning Infrastructure as Code (IaC) configurations—such as Terraform, CloudFormation, and Kubernetes—for potential security misconfigurations. Its extensive integration into continuous integration/continuous delivery (CI/CD) pipelines made it a prime target for supply chain attackers seeking broad impact.

Trojanized Binaries and Credential Exfiltration

Forensic analysis of the tainted KICS Docker images exposed a modified ELF binary, written in Golang. This altered binary contained unauthorized telemetry and data exfiltration capabilities, features entirely absent from the authentic version of the tool.

The embedded malware was designed to generate unredacted IaC scan reports, encrypt them, and then covertly transmit the results to an attacker-controlled external endpoint located at https://audit.checkmarx[.]cx/v1/telemetry. Organizations that utilized these compromised images to scan their IaC files must consider any exposed secrets, cloud credentials, or API keys as potentially compromised.

Intriguingly, the malicious binary shared its Command and Control (C2) server address with a separate JavaScript payload identified as mcpAddon.js. This common C2 infrastructure suggests a coordinated, multi-component attack strategy deployed by the threat actors.

VS Code Extensions Also Compromised

As Socket researchers broadened their investigation, the scope of the compromise extended beyond Docker Hub. Trojanized versions of Checkmarx’s VS Code and Open VSX extensions were also discovered. Specifically, affected versions included cx-dev-assist 1.17.0 and 1.19.0, and ast-results 2.63.0 and 2.66.0.

Upon activation, these compromised extensions surreptitiously downloaded a second-stage payload, mcpAddon.js, from a hardcoded GitHub URL. This URL pointed to an orphaned, backdated commit (68ed490b) within the official Checkmarx repository. The payload was then executed using the Bun runtime, bypassing user consent and integrity verification checks.

The mcpAddon.js file, a heavily obfuscated JavaScript bundle weighing approximately 10MB, functioned as a full-featured credential stealer. It systematically harvested GitHub authentication tokens, AWS credentials, Azure and Google Cloud tokens, npm configuration files, SSH keys, and environment variables. The collected data was then compressed, encrypted, and exfiltrated to the attacker’s endpoint.

The malware’s capabilities extended beyond mere credential theft. Leveraging stolen GitHub tokens, it injected malicious GitHub Actions workflows (.github/workflows/format-check.yml) into repositories where the victim possessed write access. This workflow exploited ${{ toJSON(secrets) }} to serialize and exfiltrate the entire secrets context of each targeted repository as a downloadable artifact. Furthermore, stolen npm tokens were abused to identify and republish writable packages, facilitating downstream supply chain propagation across the npm ecosystem.

The threat actor group “TeamPCP” appears to be claiming responsibility for the attack. Their account on X posted taunting messages after the story broke, stating, “Thank you OSS distribution for another very successful day at PCP inc.” This behavior is consistent with TeamPCP’s previous campaign in March 2026, which also involved compromising Checkmarx GitHub Actions and OpenVSX plugins in a broader supply chain attack targeting Trivy and LiteLLM.

What You Should Do

  • Remove and Replace: Immediately remove all affected KICS Docker images, VS Code extensions, and GitHub Actions from developer systems and CI/CD pipelines. Replace them with verified, legitimate versions.
  • Rotate Credentials: Promptly rotate all GitHub tokens, npm tokens, cloud credentials (AWS, Azure, GCP), SSH keys, and any other CI/CD secrets that were exposed to environments utilizing the compromised components.
  • Audit GitHub Repositories: Conduct a thorough audit of GitHub repositories for unauthorized workflow files (e.g., .github/workflows/format-check.yml), unexpected branch creation, suspicious artifact downloads, and public repositories matching the pattern <word>-<word>-<3 digits> with the description “Checkmarx Configuration Storage.”
  • Hunt for Indicators of Compromise (IoCs): Actively hunt for outbound connections to 94[.]154[.]172[.]43 or audit.checkmarx[.]cx. Look for unexpected execution of the Bun runtime and unauthorized access attempts to .npmrc, .env files, or cloud credential stores.
  • Pin Docker Images: As a best practice, always pin Docker image references to specific SHA256 digests rather than relying on mutable tags (e.g., latest, alpine) to prevent similar supply chain attacks.

Socket has shared its findings with the Checkmarx security team, and the Docker repository has been archived, with all affected tags restored to verified legitimate releases. Socket continues to provide updated technical analysis as the investigation progresses.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Fake GitHub Repositories Deliver SmartLoader and StealC Malware

Next Post

Apple Patches Critical Notification Privacy Flaw in iOS, iPadOS

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
FIFA World Cup Hype Used by Hackers to Steal PII and Payment Details
July 6, 2026
Multiple PHP Vulnerabilities Allow DoS and Memory Corruption Attacks
July 6, 2026
Critical ModSecurity Flaws Let Attackers Bypass Firewall Rules
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us