Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain

Cybersecurity researchers have warned of malicious images pushed to the official 'checkmarx/kics' Docker Hub repository and compromised VS Code extensions designed to steal developer credentials.
Cybersecurity researchers have warned of malicious images pushed to the official "checkmarx/kics" Docker Hub repository.
In an alert published today, software supply chain security company Socket revealed that unknown threat actors managed to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to an official release. The Docker repository has been archived as of writing.
"Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version," Socket said.
"The malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data."
Further analysis of the incident has uncovered that related Checkmarx developer tooling may also have been affected, such as recent Microsoft Visual Studio Code extension releases that come with malicious code to download and run a remote addon through the Bun runtime.
"The behavior appeared in versions 1.17.0 and 1.19.0, was removed in 1.18.0, and relied on a hard-coded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification," Socket added.
The list of affected extensions is below -
- checkmarx/[email protected]
- checkmarx/[email protected]
- checkmarx/[email protected]
- checkmarx/[email protected]
Specifically, the compromised Checkmarx extensions come with a multi-stage credential theft and propagation component that, upon extension activation, is downloaded from a GitHub URL as "mcpAddon.js." The file name implies an attempt to masquerade the malware as a hidden Model Context Protocol (MCP) feature.
"The attacker began by injecting a backdated commit (68ed490b) into the 'Checkmarx/ast-vscode-extension' repository," Socket said. "This commit was deliberately crafted to appear legitimate: it was spoofed to look like it was authored in 2022, attached to a real commit as its parent, and given a benign-looking change. However, it introduced a large (~10MB) file, modules/mcpAddon.js."
It comes with capabilities to harvest developer and cloud credentials, compress and encrypt the results, and transmit them to a threat actor-created public GitHub repository created within victim accounts using stolen GitHub access tokens. The list of captured data is as follows -
- Github Auth tokens
- Amazon Web Services (AWS) credentials
- Microsoft Azure authentication tokens
- Google Cloud credential databases
- NPM configuration files
- SSH keys and configuration files
- Environment variables
- Claude and other MCP configuration files
Besides staging the exfiltration artifacts in public GitHub repositories as JSON files, the attack chain is engineered to send the tokens and secrets to an HTTPS endpoint under the threat actor's control: "audit.checkmarx[.]cx/v1/telemetry."
As for the compromised Docker images, they have been found to bundle an ELF binary written in Golang named "kics" in an attempt to mimic the KICS scanner. In reality, it contains malicious functionality to gather sensitive data and send it to the same command-and-control server address as "mcpAddon.js."
"It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run as an artifact, and uses stolen npm credentials to identify writable packages for downstream republishing," the company explained. "In effect, the operation was designed not just to steal data from infected environments, but to turn compromised developer and CI/CD access into new exfiltration and supply chain propagation paths."
The malware performs repository discovery, targets those that have configured GitHub Actions secrets, and then creates a new branch for each of them, followed by injecting the rogue workflow (".github/workflows/format-check.yml") to extract CI/CD secrets when it's triggered automatically on push events. Once the workflow is run, the branch and the workflow run are deleted to conceal traces of malicious activity.
In the final stage, the attack shifts to a worm-like npm ecosystem propagation, abusing the victim's npm credentials to extract 250 packages maintained by them and republish each of those packages with the malicious payload to further spread the malware.
Evidence suggests that the threat actor known as TeamPCP may be behind the supply chain compromise. "Thank you OSS distribution for another very successful day at PCP inc.," TeamPCP wrote in an X post shortly after details of the incident became public knowledge.
To mitigate the threat, developers who have pulled the affected Checkmarx artifacts should assume compromise and take the following steps -
- Immediately remove the affected extensions, actions, and container images from developer systems and build environments.
- Rotate any exposed credentials, including GitHub tokens, npm tokens, cloud credentials, SSH keys, and CI/CD secrets.
- Review GitHub for unauthorized repository creation and suspicious workflows.
- Audit npm for unauthorized publication of packages.
- Review access logs for unusual secret access, token use, and newly issued credentials in cloud environments.
Source: The Hacker News














