Checkmarx KICS Docker Repository Breach: A Supply Chain Attack Exposes Developer Credentials
In a significant supply chain attack, threat actors compromised the official `checkmarx/kics` Docker Hub repository, injecting malicious code into widely used images. This breach has raised serious concerns about the security of developer tools and the potential exposure of sensitive credentials.
Discovery of the Breach
On April 22, 2026, Docker’s internal monitoring systems detected unusual activity associated with the KICS image tags. The suspicious behavior prompted an immediate alert to security researchers at Socket, who initiated a thorough investigation. Their findings revealed that attackers had overwritten existing tags, including `v2.1.20` and `alpine`, and introduced a new `v2.1.21` tag that lacked a corresponding legitimate upstream release. The compromised tags encompassed `v2.1.20-debian`, `v2.1.20`, `debian`, `alpine`, and `latest`. All affected tags have since been restored to their legitimate versions.
Understanding KICS and Its Significance
KICS, an acronym for Keeping Infrastructure as Code Secure, is an open-source tool extensively utilized by DevOps and security teams. It scans Terraform, CloudFormation, and Kubernetes configurations to identify security misconfigurations. Given its widespread adoption in Continuous Integration and Continuous Deployment (CI/CD) pipelines, KICS represents a high-value target for supply chain attacks.
Details of the Malicious Code Injection
Analysis of the compromised KICS images uncovered that the included ELF binary, written in Golang, had been altered to incorporate unauthorized telemetry and data exfiltration functionalities absent from the legitimate version. The malicious code was engineered to generate uncensored Infrastructure as Code (IaC) scan reports, encrypt the results, and covertly transmit them to an attacker-controlled endpoint at `https://audit.checkmarx[.]cx/v1/telemetry`. Organizations that utilized the affected images to scan IaC files should consider any exposed secrets, cloud credentials, or API keys as potentially compromised.
Expansion to VS Code Extensions
Further investigation by Socket researchers revealed that the attack extended beyond Docker Hub. Trojanized versions of Checkmarx’s Visual Studio Code (VS Code) and Open VSX extensions were identified, specifically `cx-dev-assist` versions 1.17.0 and 1.19.0, and `ast-results` versions 2.63.0 and 2.66.0. Upon activation, these extensions silently downloaded a second-stage payload (`mcpAddon.js`) from a hardcoded GitHub URL pointing to an orphaned, backdated commit (`68ed490b`) in the official Checkmarx repository. The payload was then executed using the Bun runtime without user consent or integrity verification.
Functionality of the Malicious Payload
The `mcpAddon.js` file, a heavily obfuscated 10MB JavaScript bundle, functioned as a comprehensive credential stealer. It harvested a wide array of sensitive information, including:
– GitHub authentication tokens
– AWS credentials
– Azure and Google Cloud tokens
– npm configuration files
– SSH keys
– Environment variables
The exfiltrated data was compressed, encrypted, and transmitted to the attacker’s endpoint.
Further Exploitation and Propagation
Beyond credential theft, the malware exploited stolen GitHub tokens to inject malicious GitHub Actions workflows (`.github/workflows/format-check.yml`) into repositories accessible to the victim. These workflows utilized `${{ toJSON(secrets) }}` to serialize and exfiltrate the entire secrets context of each targeted repository as a downloadable artifact. Additionally, stolen npm tokens were abused to identify and republish writable packages, facilitating downstream supply-chain propagation across the npm ecosystem.
Attribution to TeamPCP
The threat actor group known as TeamPCP appears to be claiming responsibility for the attack. An account named `ir` on X (formerly Twitter) posted taunting messages following the incident’s disclosure, stating, “Thank you OSS distribution for another very successful day at PCP inc.” This aligns with TeamPCP’s previous campaign in March 2026, where the group compromised multiple ecosystems, including GitHub Actions, Docker Hub, npm, and OpenVSX.
Implications and Recommendations
This incident underscores the critical importance of securing the software supply chain, especially for tools integral to development and deployment processes. Organizations are advised to:
1. Audit and Verify: Regularly audit and verify the integrity of third-party tools and dependencies used within their environments.
2. Monitor for Anomalies: Implement monitoring systems to detect unusual activities or unauthorized changes in repositories and CI/CD pipelines.
3. Credential Management: Rotate and manage credentials securely, minimizing the risk of exposure through compromised tools.
4. Community Vigilance: Engage with the broader security community to stay informed about emerging threats and collaborate on mitigation strategies.
By adopting these practices, organizations can enhance their resilience against supply chain attacks and protect their critical assets from malicious actors.
