Checkmarx Supply Chain Breach: Malicious KICS Docker Images and VS Code Extensions Compromise Developer Security
In a significant cybersecurity incident, malicious actors have infiltrated Checkmarx’s supply chain by compromising the official checkmarx/kics Docker Hub repository and associated Visual Studio Code (VS Code) extensions. This breach poses substantial risks to developers and organizations relying on these tools for secure software development.
Compromised KICS Docker Images
Cybersecurity firm Socket has identified that unknown attackers have overwritten existing tags in the checkmarx/kics Docker Hub repository, including versions v2.1.20 and alpine. Additionally, a new tag, v2.1.21, has been introduced, which does not correspond to any official release. The repository has since been archived to prevent further damage.
Analysis reveals that the KICS binary within these malicious images has been altered to include unauthorized data collection and exfiltration capabilities. The malware can generate uncensored scan reports, encrypt them, and transmit the data to external endpoints. This creates a severe risk for teams using KICS to scan infrastructure-as-code files, as these files may contain sensitive information such as credentials and configuration data.
Infected Visual Studio Code Extensions
Further investigation uncovered that related Checkmarx developer tools, specifically recent releases of Microsoft Visual Studio Code extensions, have also been compromised. Versions 1.17.0 and 1.19.0 of these extensions contain malicious code designed to download and execute remote add-ons via the Bun runtime. This behavior was absent in version 1.18.0. The malicious code relies on a hardcoded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification.
Implications for Developers and Organizations
Organizations that have utilized the affected KICS images to scan Terraform, CloudFormation, or Kubernetes configurations should consider any secrets or credentials exposed during these scans as potentially compromised. The evidence suggests that this is not an isolated incident but part of a broader supply chain attack affecting multiple Checkmarx distribution channels.
Broader Context of Supply Chain Attacks
This incident is part of a growing trend of supply chain attacks targeting developer tools and environments. For instance, the GlassWorm campaign has repeatedly infiltrated Visual Studio Marketplace and Open VSX with malicious extensions designed to steal secrets and drain cryptocurrency wallets. These attacks underscore the critical need for vigilance and robust security measures in the software development lifecycle.
Recommendations for Mitigation
To mitigate the risks associated with this breach, developers and organizations should:
– Verify Integrity: Ensure that all Docker images and VS Code extensions are sourced from official and trusted repositories. Regularly verify the integrity of these tools before use.
– Update and Patch: Promptly update all development tools and extensions to their latest versions, as patches for known vulnerabilities are often included in updates.
– Monitor for Anomalies: Implement monitoring mechanisms to detect unusual activities, such as unauthorized data exfiltration or unexpected network connections originating from development environments.
– Educate Teams: Conduct regular training sessions to educate development teams about the risks of supply chain attacks and the importance of adhering to security best practices.
Conclusion
The compromise of Checkmarx’s supply chain through malicious KICS Docker images and VS Code extensions highlights the evolving threats facing the software development community. By adopting proactive security measures and maintaining a culture of vigilance, organizations can better protect their development environments from such sophisticated attacks.
