Researchers warn malicious images were pushed to the official checkmarx/kics Docker Hub repository after attackers overwrote existing tags and added a fake v2.1.21 release. Analysis shows the poisoned KICS binary collected, encrypted, and exfiltrated scan reports, and related Checkmarx tooling (including some Visual Studio Code extensions) delivered remote-add-on malware via the Bun runtime, suggesting a broader supply chain compromise. #Checkmarx #KICS #DockerHub #VisualStudioCode #Bun #Terraform #CloudFormation #Kubernetes
Keypoints
- Attackers overwrote tags (v2.1.20, alpine) and introduced a non-official v2.1.21 image on the checkmarx/kics Docker Hub repository.
- The compromised KICS binary was modified to generate, encrypt, and exfiltrate uncensored scan reports.
- Certain Visual Studio Code extension releases (1.17.0 and 1.19.0) downloaded and executed a remote addon via a hardcoded GitHub URL and the Bun runtime.
- Organizations that used the affected KICS images to scan IaC should treat any exposed secrets or credentials as likely compromised.
- Socket’s analysis indicates this incident is part of a wider supply chain compromise affecting multiple Checkmarx distribution channels, and the Docker repo has been archived.
Read More: https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html