Malicious Code Injected into Official KICS Docker Images and VS Code Extensions
Malicious Code Injected into Official KICS Docker Images and VS Code Extensions
Software supply chain security firm Socket has uncovered a sophisticated attack targeting Checkmarx's official Docker Hub repository and associated developer tools, potentially exposing sensitive data.
Published: 2026-04-22 | Author: Patrick Mattos
A recent alert from cybersecurity firm Socket has detailed a significant compromise affecting the official "checkmarx/kics" Docker Hub repository. Threat actors successfully injected malicious code into the KICS (Keep Infrastructure as Code Secure) binary, enabling data exfiltration and potentially exposing sensitive credentials embedded within infrastructure-as-code (IaC) files. The incident also appears to extend to Checkmarx's Visual Studio Code extensions, further broadening the attack surface.
The compromised KICS images, including tags like v2.1.20 and alpine, were altered to include unauthorized data collection and exfiltration capabilities. The modified binary could generate encrypted scan reports and transmit them to an external endpoint. This poses a critical risk to organizations using KICS to scan IaC configurations, as these scans often process files containing secrets, credentials, and other sensitive operational data. The investigation suggests this is not an isolated incident but part of a wider supply chain compromise impacting multiple Checkmarx distribution channels.
Further analysis revealed that certain Checkmarx developer tooling, specifically Visual Studio Code extensions, also contained malicious code. Versions 1.17.0 and 1.19.0 of these extensions were found to download and execute a remote add-on via the Bun runtime, using a hardcoded GitHub URL for fetching additional JavaScript without user consent or integrity checks. This dual-pronged attack highlights the evolving tactics of threat actors targeting the software development lifecycle.
Technical Context
The attack chain involved the compromise of the official "checkmarx/kics" Docker Hub repository. Threat actors gained the ability to overwrite existing image tags and introduce new, illegitimate ones (e.g., v2.1.21). The core of the malicious activity within the KICS binary involved the addition of data collection and exfiltration functionalities. Specifically, the modified KICS binary was capable of generating an "uncensored scan report," encrypting it, and then exfiltrating it to a remote server. This process likely involved intercepting sensitive data processed by KICS during IaC scans.
In parallel, the compromise extended to Checkmarx's Visual Studio Code extensions. Versions 1.17.0 and 1.19.0 exhibited malicious behavior by downloading and executing a remote JavaScript add-on. This was facilitated by a hardcoded GitHub URL, bypassing standard security checks and user confirmation. The use of the Bun runtime for executing this add-on suggests a modern approach to payload delivery and execution within the developer environment. The fact that version 1.18.0 was clean suggests a targeted injection rather than a persistent vulnerability in the development pipeline.
Impact and Risk
Organizations utilizing Checkmarx's KICS tool for scanning infrastructure-as-code (IaC) files, such as Terraform, CloudFormation, or Kubernetes configurations, are at high risk. Any secrets, credentials, or sensitive configuration data processed by the compromised KICS images during scans should be considered potentially exposed and compromised. The exfiltration of encrypted scan reports to an unknown external endpoint means that sensitive organizational information could be in the hands of unauthorized actors.
The compromise of Visual Studio Code extensions introduces a direct risk to developers. Malicious code executing within the development environment could lead to further compromise of developer workstations, source code repositories, or access to internal systems through compromised credentials. The broad nature of the attack, affecting multiple distribution channels, suggests a significant risk to the wider software development community that relies on these tools for security and development workflows.
Defensive Takeaways
Organizations should immediately audit their use of Checkmarx's KICS tool. If affected versions of the Docker images were used, all secrets and credentials scanned during the period of compromise should be rotated and considered compromised. It is crucial to verify the integrity of the KICS binary and the Docker images being pulled from public repositories.
For developers using Checkmarx's Visual Studio Code extensions, it is imperative to review extension versions. If versions 1.17.0 or 1.19.0 were installed, they should be uninstalled immediately, and the system should be scanned for any signs of further compromise. Developers should practice strict verification of code sources and be wary of extensions that exhibit unusual network activity or require excessive permissions. Implementing stricter controls on outbound network connections from development machines can also help mitigate the impact of such supply chain attacks.