top of page
perceptive_background_267k.jpg

Docker and Socket have uncovered malicious Checkmarx KICS images and suspicious code extension releases in a broader supply chain compromise.

Published:

22 April 2026 at 16:00:18

Alert date:

22 April 2026 at 17:03:04

Source:

socket.dev

Click to open the original link from this advisory

Supply Chain & Dependencies, Security Tools, Cloud & Virtualization

Docker and Socket discovered malicious images in the official Checkmarx KICS Docker repository, where attackers overwrote existing tags including v2.1.20 and alpine, and introduced a fake v2.1.21 tag. The compromised KICS binary was modified to collect and exfiltrate scan reports containing sensitive infrastructure-as-code data. The compromise extended beyond Docker images to include VS Code extensions with remote code execution capabilities. Organizations that used affected images to scan Terraform, CloudFormation, or Kubernetes configurations should consider exposed secrets potentially compromised. This appears to be part of a broader supply chain attack affecting multiple Checkmarx distribution channels.

Technical details

Attackers compromised the official checkmarx/kics Docker Hub repository by overwriting existing tags including v2.1.20 and alpine, and introducing a fake v2.1.21 tag. The poisoned KICS binary was modified to include data collection and exfiltration capabilities, allowing it to generate uncensored scan reports, encrypt them, and send to external endpoints. The compromise extended to Checkmarx VS Code extensions in versions 1.17.0 and 1.19.0, which introduced code capable of downloading and executing remote addons through the Bun runtime using a hardcoded GitHub URL without user confirmation or integrity verification. The malicious behavior was removed in version 1.18.0.

Mitigation steps:

Organizations that used the affected KICS Docker images to scan Terraform, CloudFormation, or Kubernetes configurations should consider any secrets or credentials exposed to those scans potentially at risk. Avoid using the compromised Docker image versions and VS Code extension versions 1.17.0 and 1.19.0. Update to legitimate versions and verify integrity of scanning tools before use.

Affected products:

[object Object]
[object Object]

Related links:

Related CVE's:

Related threat actors:

IOC's:

checkmarx/kics:v2.1.20 (compromised), checkmarx/kics:alpine (compromised), checkmarx/kics:v2.1.21 (malicious fake release), Checkmarx VS Code extension v1.17.0, Checkmarx VS Code extension v1.19.0, Modified KICS binary with unauthorized telemetry and exfiltration functionality, Hardcoded GitHub URL for remote addon execution in VS Code extensions

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page