Cybersecurity experts have raised alarms over compromised container images discovered in the official “checkmarx/kics” repository on Docker Hub, signaling a significant supply chain security incident.

According to a newly released advisory from software supply chain security firm Socket, unidentified attackers managed to tamper with existing image tags such as v2.1.20 and alpine. They also introduced a suspicious v2.1.21 tag that does not align with any legitimate release. At the time of reporting, the affected Docker repository has been archived.

"Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version," Socket said.

"The malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data."

Further investigation revealed that the compromise extended beyond Docker images to developer tools associated with Checkmarx. Certain versions of Microsoft Visual Studio Code extensions were found to contain malicious code capable of downloading and executing a remote add-on using the Bun runtime.

"The behavior appeared in versions 1.17.0 and 1.19.0, was removed in 1.18.0, and relied on a hard-coded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification," Socket added.

Affected extensions include cx-dev-assist (versions 1.17.0 and 1.19.0) and ast-results (versions 2.63.0 and 2.66.0).

These compromised extensions deploy a multi-stage malware component designed to steal credentials. Once activated, the extensions download a file named “mcpAddon.js” from GitHub, disguising it as a legitimate Model Context Protocol (MCP) feature.

"The attacker began by injecting a backdated commit (68ed490b) into the 'Checkmarx/ast-vscode-extension' repository," Socket said. "This commit was deliberately crafted to appear legitimate: it was spoofed to look like it was authored in 2022, attached to a real commit as its parent, and given a benign-looking change. However, it introduced a large (~10MB) file, modules/mcpAddon.js."

The malware is capable of harvesting sensitive data, including GitHub tokens, AWS credentials, Azure authentication tokens, Google Cloud credentials, SSH keys, environment variables, and configuration files. This information is then compressed, encrypted, and exfiltrated to attacker-controlled GitHub repositories created using stolen credentials.

In addition, the attack chain sends stolen secrets to a remote server at “audit.checkmarx[.]cx/v1/telemetry.” Investigators identified at least 51 repositories containing exfiltrated data labeled under “Checkmarx Configuration Storage.”

The tampered Docker images were also found to include a malicious Golang-based ELF binary masquerading as the legitimate KICS scanner, performing similar data exfiltration activities.

Notably, attacker-created repositories followed a consistent naming convention and began appearing on April 22, 2026. The campaign demonstrates advanced techniques, including injecting malicious GitHub Actions workflows to capture CI/CD secrets. These workflows are automatically triggered and later removed to evade detection.

"It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run as an artifact, and uses stolen npm credentials to identify writable packages for downstream republishing," the company explained. "In effect, the operation was designed not just to steal data from infected environments, but to turn compromised developer and CI/CD access into new exfiltration and supply chain propagation paths."

The attackers further expanded their reach by exploiting npm credentials to republish up to 250 compromised packages, effectively turning the campaign into a self-propagating supply chain attack.

Organizations that used the affected KICS images to scan infrastructure configurations such as Terraform, CloudFormation, or Kubernetes are advised to treat all exposed secrets as compromised.

"The evidence suggests this is not an isolated Docker Hub incident, but part of a broader supply chain compromise affecting multiple Checkmarx distribution channels," the company noted.

Evidence points to a threat actor known as TeamPCP as a possible culprit. The group hinted at involvement in a social media post shortly after the incident became public. If confirmed, this would mark the second attack targeting Checkmarx within a short span, following a similar breach in March 2026 involving compromised GitHub Actions workflows.

The exact method of the breach remains unclear. "Technical evidence shows the attacker had write access to Checkmarx repos between March and April, but we cannot determine from artifacts alone whether this was retained access, re-compromise, or unremediated credentials," Socket told The Hacker News. "The orphaned commit technique suggests sustained repo access."

Security experts recommend immediate remediation steps, including removing affected components, rotating credentials, auditing repositories and workflows, and monitoring cloud environments for suspicious activity.

In response, Checkmarx confirmed it is actively investigating the issue and stated that versions released prior to the affected timeframe remain secure. The company has removed malicious artifacts, rotated credentials, blocked attacker infrastructure, and advised users to rely only on verified safe versions.

"To date, we have removed the malicious artifacts, revoked and rotated exposed credentials, blocked outbound access to attacker-controlled infrastructure, reviewed our environments for any signs of further compromise," Checkmarx told The Hacker News.