Hackers compromised Checkmarx KICS Docker images and VS Code/Open VSX extensions to harvest developer secrets by delivering a hidden โMCP addonโ that downloaded credential-stealing malware. Affected users should assume secrets are exposed, rotate credentials, revert to pinned safe versions, and follow remediation guidance from Checkmarx and Socket. #KICS #Checkmarx #TeamPCP #DockerHub #VSCode #OpenVSX
Keypoints
- Checkmarx KICS Docker images and VS Code/Open VSX extensions were trojanized to steal sensitive developer data.
- Socketโs investigation found a hidden โMCP addonโ that fetched mcpAddon.js from a hardcoded GitHub URL.
- The malware targeted GitHub tokens, AWS/Azure/Google Cloud credentials, npm tokens, SSH keys, Claude configs, and environment variables, encrypting and exfiltrating them to audit.checkmarx[.]cx and auto-created GitHub repos.
- The malicious Docker digest was served between 2026-04-22 14:17:59 UTC and 2026-04-22 15:41:31 UTC; affected tags are restored and users should rotate secrets, use pinned SHAs, and revert to safe versions.
- TeamPCP publicly claimed responsibility but attribution remains unconfirmed; Checkmarx removed malicious artifacts, rotated exposed credentials, and is investigating with external experts.