Checkmarx Uncovers Malicious KICS Docker Images and VS Code Extensions in Supply Chain Attack

Key Takeaways

• Malicious actors overwrote existing tags (e.g., v2.1.20, alpine) and added a fraudulent v2.1.21 tag in the official checkmarx/kics Docker Hub repository.
• The tampered KICS binary was altered to collect, encrypt, and exfiltrate scan reports containing IaC secrets to an external endpoint.
• Related Checkmarx tooling, specifically recent Microsoft Visual Studio Code extensions (versions 1.17.0 and 1.19.0), contained hard‑coded code that silently downloaded and executed a remote addon via the Bun runtime.
• The incident indicates a broader supply‑chain compromise affecting multiple distribution channels used by Checkmarx.
• Organizations that scanned Terraform, CloudFormation, or Kubernetes files with the compromised KICS image should consider any exposed credentials or secrets as likely compromised and rotate them immediately.
• Socket’s analysis highlights the need for image integrity verification, tag immutability policies, and runtime monitoring for unexpected network calls.
• Checkmarx has been contacted for comment; the story is developing and updates will follow as more information becomes available.

Overview of the Incident
On April 22, 2026, cybersecurity researchers from Socket disclosed a supply‑chain attack targeting the official Docker Hub repository for Checkmarx’s open‑source KICS (Keeping Infrastructure as Code Secure) scanner. Unknown threat actors managed to overwrite legitimate image tags and push a malicious variant that silently harvested sensitive data from IaC scans. The compromised repository has since been archived, but the fallout continues to affect teams that relied on the images for security scanning of cloud‑native configurations.

Compromised Docker Hub Repository
Socket’s alert emphasized that the attackers did not merely add a new tag; they actively overwrote existing, trusted tags such as v2.1.20 and alpine. This technique allowed any downstream CI/CD pipeline that pinned to those tags—without specifying a digest—to pull the poisoned image unknowingly. The presence of a fabricated v2.1.21 tag, which does not correspond to any official Checkmarx release, further illustrates the attackers’ effort to masquerade as a legitimate update while bypassing version‑checking mechanisms that rely solely on semantic tags.

Details of Malicious Image Modification
Binary analysis of the tainted KICS image revealed that the bundled KICS executable had been altered to include additional data‑collection and exfiltration routines absent from the upstream source. The malicious code intercepts the scan output, aggregates discovered secrets (such as API keys, database passwords, and cloud credentials), encrypts the payload using a hard‑coded public key, and transmits it to an external command‑and‑control server over HTTPS. Because the modifications were compiled into the binary, standard image‑scanning tools that only inspect layers or metadata would not detect the tampering unless they performed runtime behavior analysis or verified binary hashes against a known‑good build.

Data Exfiltration Mechanism
The exfiltration pathway operates silently during a normal KICS scan. After generating the usual JSON or SARIF report, the malware appends a supplementary block containing the harvested credentials, encrypts it with RSA‑OAEP using a key embedded in the binary, and POSTs the ciphertext to a predefined endpoint (observed to be a domain registered shortly before the attack). The traffic mimics legitimate telemetry, making detection by network‑based anomaly tools challenging unless outbound connections to unfamiliar destinations are closely monitored and blocked by default‑deny egress policies.

Impact on Checkmarx KICS Usage
Any organization that used the compromised image to scan Terraform, AWS CloudFormation, Azure Resource Manager, or Kubernetes manifests should assume that secrets visible to those scans were captured and transmitted. This includes inline secrets, hard‑coded passwords, and even temporary tokens that might appear in IaC files during development. Consequently, affected secrets must be treated as compromised: rotation of API keys, re‑issuance of certificates, and audit of any systems that might have ingested the leaked data are essential remediation steps.

Supply Chain Extension to VS Code Extension
Socket further reported that the breach extends beyond Docker Hub. Recent releases of the Checkmarx‑provided Microsoft Visual Studio Code extension (versions 1.17.0 and 1.19.0) contained malicious JavaScript that, upon activation, silently fetched and executed a remote addon via the Bun runtime. The addon was retrieved from a hard‑coded GitHub URL without any user confirmation, integrity verification, or code‑signing check, thereby allowing attackers to run arbitrary code inside the developer’s IDE environment.

Technical Details of VS Code Malware
The malicious snippet resides in the extension’s activation script. It checks for a specific environment variable, then constructs a URL pointing to a GitHub repository controlled by the threat actor, downloads a Bun‑compatible JavaScript bundle, and executes it using Bun’s runtime engine. Because Bun can run JavaScript outside of Node.js’s typical security sandbox, the payload gains the same privileges as the extension—access to the workspace, terminal, and network. Notably, the malicious code was removed in version 1.19.0, indicating a brief window of exposure, but any developer who installed or updated the extension during that period remains at risk.

Broader Supply Chain Compromise
The convergence of attacks on both the Docker image and the VS Code extension suggests a coordinated effort to infiltrate multiple distribution channels used by Checkmarx’s users. Socket’s analysts noted that the same infrastructure (e.g., the external exfiltration endpoint and the GitHub host) was referenced in both attacks, implying a single threat actor or group behind the campaign. This pattern underscores the danger of relying on a single source of truth for software components and highlights the necessity of cross‑channel verification (e.g., comparing Docker image hashes with signatures published on a trusted code‑signing service).

Recommendations for Affected Organizations

1. Immediate Image Replacement: Pull the official KICS image from a verified source (e.g., using image digest@sha256…) and redeploy all scanning pipelines.
2. Secret Rotation: Assume any secrets scanned with the compromised image are exposed; rotate passwords, API keys, and cloud service credentials.
3. Network Controls: Enforce strict egress filtering to block outbound connections to unknown or newly registered domains, and inspect TLS traffic for anomalies.
4. Code‑Signing Verification: Enable signature checks for Docker images (Notary, Cosign) and VS Code extensions (Microsoft’s Marketplace signing).
5. SBOM and Integrity Scanning: Generate Software Bill of Materials for all third‑party components and routinely compare them against trusted baselines.
6. Monitoring & Alerting: Deploy runtime behavior monitoring that flags unexpected outbound HTTPS calls from scanning tools or IDE extensions.

Checkmarx Response and Ongoing Investigation
The Hacker News reached out to Checkmarx for an official statement regarding the breach, the scope of the compromise, and any remedial patches being released. As of this writing, Checkmarx has not publicly responded; the story is marked as developing, and further details are expected as the company conducts its internal forensic analysis and coordinates with downstream users.

Conclusion and Future Vigilance
This incident serves as a stark reminder that even well‑known open‑source security tools can become vectors for supply‑chain attacks when adversaries gain control of distribution channels. The ability to overwrite trusted tags and inject malicious binaries into legitimate pipelines demonstrates the insufficiency of relying solely on version tags for integrity assurance. Organizations must adopt a defense‑in‑depth strategy that combines cryptographic verification, immutable tagging, continuous monitoring, and rapid incident response to mitigate the risk of similar compromises in the future. By treating every third‑party component as potentially hostile and validating its integrity before execution, teams can better protect their infrastructure‑as‑code scanning processes—and the sensitive data they handle—from covert exfiltration campaigns.