Cybersecurity researchers have warned of malicious images pushed to the official "checkmarx/kics" Docker Hub repository.
In an alert published today, software supply chain security company Socket revealed that unknown threat actors managed to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to an official release. The Docker repository has been archived as of writing.
"Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version," Socket said.
"The malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data."
Further analysis of the incident has uncovered that related Checkmarx developer tooling may also have been affected, such as recent Microsoft Visual Studio Code extension releases that come with malicious code to download and run a remote addon through the Bun runtime.
"The behavior appeared in versions 1.17.0 and 1.19.0, was removed in 1.18.0, and relied on a hard-coded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification," Socket added.
The list of affected extensions is below -
- checkmarx/cx-dev-assist@1.17.0
- checkmarx/cx-dev-assist@1.19.0
- checkmarx/ast-results@2.63.0
- checkmarx/ast-results@2.66.0
Specifically, the compromised Checkmarx extensions come with a multi-stage credential theft and propagation component that, upon extension activation, is downloaded from a GitHub URL as "mcpAddon.js." The file name implies an attempt to masquerade the malware as a hidden Model Context Protocol (MCP) feature.
"The attacker began by injecting a backdated commit (68ed490b) into the 'Checkmarx/ast-vscode-extension' repository," Socket said. "This commit was deliberately crafted to appear legitimate: it was spoofed to look like it was authored in 2022, attached to a real commit as its parent, and given a benign-looking change. However, it introduced a large (~10MB) file, modules/mcpAddon.js."
It comes with capabilities to harvest developer and cloud credentials, compress and encrypt the results, and transmit them to a threat actor-created public GitHub repository created within victim accounts using stolen GitHub access tokens. The list of captured data is as follows -
- Github Auth tokens
- Amazon Web Services (AWS) credentials
- Microsoft Azure authentication tokens
- Google Cloud credential databases
- NPM configuration files
- SSH keys and configuration files
- Environment variables
- Claude and other MCP configuration files
Besides staging the exfiltration artifacts in public GitHub repositories as JSON files, the attack chain is engineered to send the tokens and secrets to an HTTPS endpoint under the threat actor's control: "audit.checkmarx[.]cx/v1/telemetry." As of writing, there are 51 repositories with the distinct phrase "Checkmarx Configuration Storage" in the README files.
As for the compromised Docker images, they have been found to bundle an ELF binary written in Golang named "kics" in an attempt to mimic the KICS scanner. In reality, it contains malicious functionality to gather sensitive data and send it to the same command-and-control server address as "mcpAddon.js."
Interestingly, the created repository follows a consistent naming pattern: "<word>-<word>-<3 digits>." Some of the identified repositories are listed below. The first such repository was created on April 22, 2026, at 1:48 p.m. UTC.
- gesserit-melange-813
- atreides-heighliner-520
- prescient-sandworm-556
- prana-melange-944
"It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run as an artifact, and uses stolen npm credentials to identify writable packages for downstream republishing," the company explained. "In effect, the operation was designed not just to steal data from infected environments, but to turn compromised developer and CI/CD access into new exfiltration and supply chain propagation paths."
The malware performs repository discovery, targets those that have configured GitHub Actions secrets, and then creates a new branch for each of them, followed by injecting the rogue workflow (".github/workflows/format-check.yml") to extract CI/CD secrets when it's triggered automatically on push events. Once the workflow is run, the branch and the workflow run are deleted to conceal traces of malicious activity.
In the final stage, the attack shifts to a worm-like npm ecosystem propagation, abusing the victim's npm credentials to extract 250 packages maintained by them and republish each of those packages with the malicious payload to further spread the malware.
Organizations that may have used the affected KICS image to scan Terraform, CloudFormation, or Kubernetes configurations should treat any secrets or credentials exposed to those scans as likely compromised.
"The evidence suggests this is not an isolated Docker Hub incident, but part of a broader supply chain compromise affecting multiple Checkmarx distribution channels," the company noted.
Evidence suggests that the threat actor known as TeamPCP may be behind the supply chain compromise. "Thank you OSS distribution for another very successful day at PCP inc.," TeamPCP wrote in an X post shortly after details of the incident became public knowledge.
If this is indeed the case, the development marks the second time Checkmarx has been targeted by TeamPCP in as many months. In March 2026, the group compromised two of Checkmarx's GitHub Actions workflows ("ast-github-action" and "kics-github-action") to push a credential stealer. The incident was part of a broader supply chain attack that also hit Trivy, LiteLLM, and Telnyx.
It's currently not known how the Checkmarx compromise occurred, and if the attackers had lingering access to Checkmarx's environment following last month's incident. "Technical evidence shows the attacker had write access to Checkmarx repos between March and April, but we cannot determine from artifacts alone whether this was retained access, re-compromise, or unremediated credentials," Socket told The Hacker News. "The orphaned commit technique suggests sustained repo access."
To mitigate the threat, developers who have pulled the affected Checkmarx artifacts should assume compromise and take the following steps -
- Immediately remove the affected extensions, actions, and container images from developer systems and build environments.
- Rotate any exposed credentials, including GitHub tokens, npm tokens, cloud credentials, SSH keys, and CI/CD secrets.
- Review GitHub for unauthorized repository creation and suspicious workflows.
- Audit npm for unauthorized publication of packages.
- Review access logs for unusual secret access, token use, and newly issued credentials in cloud environments.
In a statement posted on its site, Checkmarx said it's actively investigating the security incident and that it did not affect customers using versions or SHAs published prior to the affected timeframes. The following artifacts have been identified as potentially affected -
- Checkmarx/kics (Docker image) - v2.1.20-debian, v2.1.21-debian, debian, v2.1.21, v2.1.20, alpine, v2.1.20, v2.1.21, latest (Safe version: latest, v2.1.20, alpine, debian)
- Checkmarx/ast-github-action (GitHub Actions workflow) - 2.3.35 (Safe version: 2.3.36)
- ast-results (VS Code extension) - 2.63, 2.66 (Safe version: 2.64.0)
- cx-dev-assist (VS Code extension) - 1.17, 1.19 (Safe version: 1.18.0)
Checkmarx is also urging customers to block access to the "audit.checkmarx[.]cx" (IP address: 94.154.172[.]43) and "checkmarx[.]cx" (IP address: 91.195.240[.]123) domains, use pinned SHAs, rotate secrets and credentials if a compromise is detected, and use only safe versions of the aforementioned artifacts.
"To date, we have removed the malicious artifacts, revoked and rotated exposed credentials, blocked outbound access to attacker-controlled infrastructure, reviewed our environments for any signs of further compromise," Checkmarx told The Hacker News.
