{"id":12336,"date":"2026-04-23T10:03:51","date_gmt":"2026-04-23T10:03:51","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/23\/checkmarx-kics-official-docker-repo-compromised-to-inject-malicious-code\/"},"modified":"2026-04-23T10:03:51","modified_gmt":"2026-04-23T10:03:51","slug":"checkmarx-kics-official-docker-repo-compromised-to-inject-malicious-code","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/23\/checkmarx-kics-official-docker-repo-compromised-to-inject-malicious-code\/","title":{"rendered":"Checkmarx KICS Official Docker Repo Compromised to Inject Malicious Code"},"content":{"rendered":"

Checkmarx KICS Official Docker Repo Compromised to Inject Malicious Code
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A significant supply chain attack targeting the official checkmarx\/kics<\/code> Docker Hub repository, where threat actors pushed trojanized images capable of harvesting and exfiltrating sensitive developer credentials and infrastructure secrets.<\/p>\n

Docker\u2019s internal monitoring flagged suspicious activity around KICS image tags on April 22, 2026, and promptly alerted Socket researchers.<\/p>\n

The investigation revealed that attackers had overwritten existing tags, including v2.1.20<\/code> and alpine<\/code> while also introducing a new v2.1.21<\/code> tag that has no corresponding legitimate upstream release.<\/p>\n

The affected tags ultimately included v2.1.20-debian<\/code>, v2.1.20<\/code>, debian<\/code>, alpine<\/code>, and latest<\/code>, all of which have since been restored to their prior legitimate releases.<\/p>\n

KICS, short for Keeping Infrastructure as Code Secure, is an open-source tool widely used by DevOps and security teams to scan Terraform, CloudFormation, and Kubernetes configurations for security misconfigurations. Its broad adoption across CI\/CD pipelines<\/a> made it an especially high-value target for supply chain attackers.<\/p>\n

Trojanized Binary and Credential Exfiltration<\/strong><\/h2>\n

Analysis of the poisoned KICS images revealed that the bundled ELF binary written in Golang had been modified to include unauthorized telemetry and data exfiltration capabilities entirely absent from the legitimate version.<\/p>\n

The malware was designed to generate uncensored IaC scan reports, encrypt the results, and silently transmit them to an attacker-controlled external endpoint at https:\/\/audit.checkmarx[.]cx\/v1\/telemetry<\/code>.<\/p>\n

Organizations that used the affected images to scan infrastructure-as-code files should treat any exposed secrets, cloud credentials, or API keys as potentially compromised.<\/p>\n

The malicious binary shared the same Command and Control (C2) server address as a separately discovered JavaScript payload called mcpAddon.js<\/code>, indicating a coordinated, multi-component attack infrastructure.<\/p>\n

VS Code Extensions Also Weaponized<\/strong><\/h2>\n

As Socket researchers expanded their investigation<\/a>, the scope broadened well beyond Docker Hub. Trojanized versions of Checkmarx\u2019s VS Code and Open VSX extensions were also identified specifically, cx-dev-assist<\/code> versions 1.17.0 and 1.19.0, and ast-results<\/code> versions 2.63.0 and 2.66.0.<\/p>\n

These extensions, upon activation, silently downloaded a second-stage payload (mcpAddon.js<\/code>) from a hardcoded GitHub URL pointing to an orphaned backdated commit (68ed490b<\/code>) in the official Checkmarx repository, then executed it using the Bun runtime without user consent or integrity verification.<\/p>\n

\n
\"mcpAddon
mcpAddon compromise<\/figcaption><\/figure>\n<\/div>\n

The mcpAddon.js<\/code> file a heavily obfuscated, ~10MB JavaScript bundle functioned as a full-featured credential stealer.<\/p>\n

It harvested GitHub authentication tokens, AWS credentials, Azure and Google Cloud tokens, npm configuration files, SSH keys, and environment variables, compressing and encrypting the exfiltrated data before sending it to the attacker\u2019s endpoint.<\/p>\n

The malware\u2019s reach extended beyond credential theft. Using stolen GitHub tokens, the malware injected malicious GitHub Actions workflows (.github\/workflows\/format-check.yml<\/code>) into repositories the victim had write access to.<\/p>\n

The workflow exploited ${{ toJSON(secrets) }}<\/code> to serialize and exfiltrate the entire secrets context of each targeted repository as a downloadable artifact. Stolen npm tokens were further abused to identify and republish writable packages, enabling downstream supply-chain propagation across the npm ecosystem.<\/p>\n

The threat actor group TeamPCP appears to be claiming credit for the attack. Their<\/code> account on X posted taunting messages after the story broke, stating \u201cThank you OSS distribution for another very successful day at PCP inc.\u201d.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

This is consistent with TeamPCP\u2019s prior March 2026 campaign, in which the group compromised Checkmarx GitHub Actions and OpenVSX plugins in a broader supply chain attack that also targeted Trivy and LiteLLM.mrcloudbook+2<\/p>\n

Mitigations<\/strong><\/h2>\n

Security teams should take the following actions immediately:<\/p>\n