Recent cybersecurity alerts have highlighted the presence of malicious images in the official “checkmarx/kics” Docker Hub repository. According to a report from Socket, a software supply chain security firm, unidentified threat actors have overwritten existing tags, including v2.1.20 and alpine, and introduced a new tag, v2.1.21, which does not correspond to any official release.
Malicious Modifications Detected
Analysis of the compromised Docker image indicates that the KICS binary has been altered to incorporate data collection and exfiltration capabilities absent in the legitimate version. This malware can produce uncensored scan reports, encrypt them, and transmit them to an external endpoint, posing a serious risk for teams utilizing KICS to scan infrastructure-as-code files that may contain sensitive information such as credentials.
Impact on Visual Studio Code Extensions
Further investigation has revealed that related Checkmarx developer tools, particularly recent releases of Microsoft Visual Studio Code extensions, may also be compromised. These extensions, specifically versions 1.17.0 and 1.19.0, included malicious code that downloads and executes a remote addon via the Bun runtime. This behavior was removed in version 1.18.0 and relied on a hardcoded GitHub URL to fetch and run additional JavaScript without user consent or integrity checks.
Recommendations for Affected Users
Organizations that have utilized the affected KICS image to scan configurations for Terraform, CloudFormation, or Kubernetes should consider any secrets or credentials exposed during these scans as potentially compromised. Socket has indicated that this incident is likely not isolated to Docker Hub but part of a larger supply chain compromise impacting multiple Checkmarx distribution channels.
Ongoing Investigation
The Hacker News has reached out to Checkmarx for further clarification on the situation and will provide updates as more information becomes available. As this is a developing story, users are advised to stay informed about potential risks associated with these compromised tools.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
