A significant supply chain attack targeting the official checkmarx/kics Docker Hub repository, where threat actors pushed trojanized images capable of harvesting and exfiltrating sensitive developer credentials and infrastructure secrets.
Docker’s internal monitoring flagged suspicious activity around KICS image tags on April 22, 2026, and promptly alerted Socket researchers.
The investigation revealed that attackers had overwritten existing tags, including v2.1.20 and alpine while also introducing a new v2.1.21 tag that has no corresponding legitimate upstream release.
The affected tags ultimately included v2.1.20-debian, v2.1.20, debian, alpine, and latest, all of which have since been restored to their prior legitimate releases.
KICS, short for Keeping Infrastructure as Code Secure, is an open-source tool widely used by DevOps and security teams to scan Terraform, CloudFormation, and Kubernetes configurations for security misconfigurations. Its broad adoption across CI/CD pipelines made it an especially high-value target for supply chain attackers.
Trojanized Binary and Credential Exfiltration
Analysis of the poisoned KICS images revealed that the bundled ELF binary written in Golang had been modified to include unauthorized telemetry and data exfiltration capabilities entirely absent from the legitimate version.
The malware was designed to generate uncensored IaC scan reports, encrypt the results, and silently transmit them to an attacker-controlled external endpoint at https://audit.checkmarx[.]cx/v1/telemetry.
Organizations that used the affected images to scan infrastructure-as-code files should treat any exposed secrets, cloud credentials, or API keys as potentially compromised.
The malicious binary shared the same Command and Control (C2) server address as a separately discovered JavaScript payload called mcpAddon.js, indicating a coordinated, multi-component attack infrastructure.
VS Code Extensions Also Weaponized
As Socket researchers expanded their investigation, the scope broadened well beyond Docker Hub. Trojanized versions of Checkmarx’s VS Code and Open VSX extensions were also identified specifically, cx-dev-assist versions 1.17.0 and 1.19.0, and ast-results versions 2.63.0 and 2.66.0.
These extensions, upon activation, silently downloaded a second-stage payload (mcpAddon.js) from a hardcoded GitHub URL pointing to an orphaned backdated commit (68ed490b) in the official Checkmarx repository, then executed it using the Bun runtime without user consent or integrity verification.
The mcpAddon.js file a heavily obfuscated, ~10MB JavaScript bundle functioned as a full-featured credential stealer.
It harvested GitHub authentication tokens, AWS credentials, Azure and Google Cloud tokens, npm configuration files, SSH keys, and environment variables, compressing and encrypting the exfiltrated data before sending it to the attacker’s endpoint.
The malware’s reach extended beyond credential theft. Using stolen GitHub tokens, the malware injected malicious GitHub Actions workflows (.github/workflows/format-check.yml) into repositories the victim had write access to.
The workflow exploited ${{ toJSON(secrets) }} to serialize and exfiltrate the entire secrets context of each targeted repository as a downloadable artifact. Stolen npm tokens were further abused to identify and republish writable packages, enabling downstream supply-chain propagation across the npm ecosystem.
The threat actor group TeamPCP appears to be claiming credit for the attack. Their account on X posted taunting messages after the story broke, stating “Thank you OSS distribution for another very successful day at PCP inc.”.
This is consistent with TeamPCP’s prior March 2026 campaign, in which the group compromised Checkmarx GitHub Actions and OpenVSX plugins in a broader supply chain attack that also targeted Trivy and LiteLLM.mrcloudbook+2
Security teams should take the following actions immediately:
- Remove all affected KICS Docker images, VS Code extensions, and GitHub Actions from developer systems and build pipelines
- Rotate GitHub tokens, npm tokens, cloud credentials (AWS, Azure, GCP), SSH keys, and all CI/CD secrets exposed to affected environments
- Audit GitHub repositories for unauthorized workflow files, unexpected branch creation, suspicious artifact downloads, and public repositories named with the pattern
- -<3 digits> - Hunt for outbound connections to
94[.]154[.]172[.]43oraudit.checkmarx[.]cx, unexpected Bun runtime execution, and unauthorized access to.npmrc,.env, or cloud credential stores - Pin Docker image references to verified SHA256 digests rather than mutable tags
Key Indicators of Compromise
| Artifact | Indicator |
|---|---|
| C2 Endpoint | https://audit.checkmarx[.]cx/v1/telemetry |
| Malicious IP | 94[.]154[.]172[.]43 |
| mcpAddon.js SHA256 | 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 |
| KICS ELF SHA256 | 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50 |
| Affected Docker tags | alpine, latest, debian, v2.1.20, v2.1.21, v2.1.20-debian |
Socket has disclosed its findings to the Checkmarx security team and continues to publish updated technical analysis as the investigation develops. The Docker repository has been archived, and all affected tags have been restored to verified legitimate releases.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
