The Multi-Stage Supply Chain Compromise of Checkmarx KICS
In a sophisticated demonstration of supply chain exploitation, the official Checkmarx KICS (Keeping Infrastructure as Code Secure) ecosystem has fallen victim to a coordinated attack. Uncovered on April 22, 2026, by Docker and Socket, the breach isn’t just a simple container compromise—it is a multi-vector campaign designed to weaponize developer environments and pivot into high-value cloud infrastructure.
The attackers employed a two-pronged strategy: hijacking trusted Docker images on Docker Hub and injecting malicious code into VS Code extensions. The ultimate goal? Harvesting high-entropy secrets, including cloud credentials and authentication tokens, to facilitate long-term persistence within enterprise CI/CD pipelines.
The Docker Hub Infiltration: Poisoning the Well
The breach began with the successful compromise of the Checkmarx/Kics repository on Docker Hub. In a classic “tag hijacking” maneuver, the threat actors pushed malicious images that overwrote legitimate, trusted version tags. This ensured that any developer or automated CI pipeline pulling these images would unknowingly ingest the payload.
Compromised and Fabricated Tags:
- Overwritten Tags:
v2.1.20,v2.1.20-debian,alpine,debian, andlatest. - Fabricated Tag:
v2.1.21(a non-existent upstream version created solely to lure users seeking updates).
The technical payload within these images involved a modified Golang binary. Rather than subtly altering the scan results, the binary was engineered to generate unencrypted, “uncensored” Infrastructure as Code (IaC) scan reports. These reports—which contain a roadmap of an organization’s security vulnerabilities—were then encrypted and exfiltrated to an attacker-controlled telemetry endpoint: audit.checkmarx[.]cx/v1/telemetry.
VS Code Extension Hijacking and the mcpAddon.js Payload
The scope of the attack expanded into the developer’s local workstation via Checkmarx’s VS Code extensions (specifically versions 1.17.0 and 1.19.0). The attackers successfully injected an “MCP addon” into the extension code.

This addon acted as a sophisticated downloader, pulling a 10MB obfuscated JavaScript payload named mcpAddon.js and executing it through the Bun runtime. To bypass traditional code review and version control auditing, the attackers utilized Git history manipulation, injecting a backdated, orphaned commit into the Checkmarx/ast-vscode-extension repository to mask the introduction of the malicious code.
Once active, the payload functioned as a highly specialized token stealer, scanning for:
- GitHub: Authentication and personal access tokens.
- Cloud Infrastructure: AWS, Microsoft Azure, and Google Cloud credentials.
- Package Managers: NPM configuration files (
.npmrc). - System Secrets: SSH private keys and sensitive environment variables.
Lateral Movement: From Local Dev to Global CI/CD
What distinguishes this attack is its ability to move laterally from a single developer’s machine into the broader automation ecosystem. Using stolen GitHub tokens, the malware dynamically created public “staging” repositories under the victim’s account. These repositories, appearing innocuous, were used to host encrypted exfiltrated data. In a nod to the Dune universe, these repositories used identifiers like gesserit-melange-813 and prescient-sandworm-556.
The malware also automated the theft of GitHub Actions secrets. It identified repositories with write access and injected a malicious workflow titled format-check.yml. This workflow was designed to dump the entire secrets context of a repository into a text file, which was then uploaded as a build artifact for the attackers to download later.
Furthermore, the malware scanned .npmrc files to identify locally maintained NPM packages. It then leveraged stolen credentials to republish these packages with the malicious payload, effectively turning the victims into unwitting distributors of malware against the open-source community.
Attribution and Remediation
The threat group TeamPCP has claimed responsibility for this operation. This group has a documented history of high-impact supply chain strikes, including previous attacks on Trivy and LiteLLM.
Immediate Action Items for Security Teams:
- Purge Images: Immediately delete all
checkmarx/kicsDocker images from local caches and registries. Re-pull only from verified, known-good digests. - Audit Extensions: Verify VS Code extension versions; downgrade or remove
ast-vscode-extensionversions 1.17.0 and 1.19.0. - Credential Rotation: This is a high-severity event. Rotate all GitHub tokens, AWS/Azure/GCP keys, NPM tokens, and CI/CD environment secrets immediately.
- Pipeline Inspection: Scan GitHub repositories for unauthorized workflows (specifically
format-check.yml) and anomalous public repositories.
Technical Indicators of Compromise (IoCs)
| Indicator Type | Value / Description |
|---|---|
| C2 / Exfiltration Domain | audit.checkmarx[.]cx/v1/telemetry |
| Malicious IP | 94.154.172.43 |
| File Hash (SHA256) | 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 |
| Compromised Docker Tags | checkmarx/kics: v2.1.20, v2.1.20-debian, alpine, debian, latest, v2.1.21 |
| Malicious GitHub Commit | SHA: 68ed490b |
| Staging Repo Pattern | <dune-themed-word>-<dune-themed-word>-<number> |