{"id":683,"date":"2026-04-22T19:00:56","date_gmt":"2026-04-22T19:00:56","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=683"},"modified":"2026-04-22T19:00:56","modified_gmt":"2026-04-22T19:00:56","slug":"malicious-kics-docker-images-and-vs-code-extensions-hit-checkmarx-supply-chain","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=683","title":{"rendered":"Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 22, 2026<\/span><\/span><span class=\"p-tags\">Cloud Security \/ Software Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEimocxAyADkuC5qBKZquZhHtUaDSArR1yrr0eRW7dQ_qo4yJpHxj2VYF0qQBxxYfhwOv5g3PJ6raoVwGHrns8DiRFppR_OPFhc2NUoVxlMc0W3fwVyR8J0daGZ_a8IOSuqL1kXJmY6Sj1bvqJ7OwkZfJQB2Cha4WldeRwCcAopoTllcER15ca3eFwsibt6i\/s1700-e365\/kics.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have warned of malicious images pushed to the official \u00ab<a href=\"https:\/\/hub.docker.com\/r\/checkmarx\/kics\">checkmarx\/kics<\/a>\u00bb Docker Hub repository.<\/p>\n<p>In an alert published today, software supply chain security company Socket <a href=\"https:\/\/socket.dev\/blog\/checkmarx-supply-chain-compromise\">revealed<\/a> that unknown threat actors managed to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to an official release. The Docker repository has been archived as of writing.<\/p>\n<p>\u00abAnalysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version,\u00bb Socket said.<\/p>\n<p>\u00abThe malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Further analysis of the incident has uncovered that related Checkmarx developer tooling may also have been affected, such as recent Microsoft Visual Studio Code extension releases that come with malicious code to download and run a remote addon through the Bun runtime.<\/p>\n<p>\u00abThe behavior appeared in versions 1.17.0 and 1.19.0, was removed in 1.18.0, and relied on a hardcoded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification,\u00bb Socket added.<\/p>\n<p>Organizations that may have used the affected KICS image to scan Terraform, CloudFormation, or Kubernetes configurations should treat any secrets or credentials exposed to those scans as likely compromised.<\/p>\n<p>\u00abThe evidence suggests this is not an isolated Docker Hub incident, but part of a broader supply chain compromise affecting multiple Checkmarx distribution channels,\u00bb the company noted.<\/p>\n<p>The Hacker News has contacted Checkmarx for further information, and we will update the story if we hear back.<\/p>\n<p><em>(This is a developing story. Please check back for more details.)<\/em><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 22, 2026Cloud Security \/ Software Security Cybersecurity researchers have warned of malicious images pushed to the official \u00abcheckmarx\/kics\u00bb Docker Hub repository. In an alert published today, software supply&hellip;<\/p>\n","protected":false},"author":1,"featured_media":684,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[219,857,10,136,361,434,1052,1363,33,218],"class_list":["post-683","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-chain","tag-checkmarx","tag-code","tag-docker","tag-extensions","tag-hit","tag-images","tag-kics","tag-malicious","tag-supply"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=683"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/683\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/684"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}