top of page
perceptive_background_267k.jpg

New Checkmarx supply-chain breach affects KICS analysis tool

Published:

23 april 2026 om 16:05:12

Alert date:

23 april 2026 om 17:04:31

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Security Tools, Data Breach & Exfiltration

Hackers compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments. This supply chain attack targets development tools and infrastructure, potentially affecting numerous software development organizations using the compromised KICS security analysis tool. The breach demonstrates the continued targeting of developer toolchains as an attack vector.

Technical details

Hackers compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool. The compromise included a hidden 'MCP addon' feature that downloaded multi-stage credential theft malware (mcpAddon.js) from a hardcoded GitHub URL. The malware targets GitHub tokens, cloud credentials (AWS, Azure, Google Cloud), npm tokens, SSH keys, Claude configs, and environment variables. It encrypts and exfiltrates data to audit.checkmarx[.]cx domain and automatically creates public GitHub repositories for data exfiltration. Docker tags were temporarily repointed to malicious digest during a specific timeframe.

Mitigation steps:

Consider secrets compromised if downloaded during the dangerous timeframe and rotate them immediately. Rebuild environments from known safe point. Block access to 'checkmarx.cx => 91[.]195[.]240[.]123' and 'audit.checkmarx.cx => 94[.]154[.]172[.]43'. Use pinned SHAs and revert to known safe versions: DockerHub KICS v2.1.20, Checkmarx ast-github-action v2.3.36, Checkmarx VS Code extensions v2.64.0, and Checkmarx Developer Assist extension v1.18.0. Rotate secrets and credentials if compromise is suspected or confirmed.

Affected products:

Checkmarx KICS (compromised versions during 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC)
KICS Docker Hub image (fake v2.1.21 tag)
Checkmarx VS Code extensions
Open VSX extensions
Checkmarx ast-github-action
Checkmarx Developer Assist extension

Related links:

https://www.bleepingcomputer.com/news/security/trivy-vulnerability-scanner-breach-pushed-infostealer-via-github-actions/
https://www.bleepingcomputer.com/news/security/popular-litellm-pypi-package-compromised-in-teampcp-supply-chain-attack/
http://checkmarx.com/blog/checkmarx-security-update-april-22/

Related CVE's:

Related threat actors:

IOC's:

audit.checkmarx[.]cx, checkmarx.cx => 91[.]195[.]240[.]123, audit.checkmarx.cx => 94[.]154[.]172[.]43, mcpAddon.js, Fake v2.1.21 Docker tag

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page