Checkmarx KICS Docker Repository and VS Code Extension Hijacked

Supply Chain Compromise of Checkmarx KICS

Software security researchers have identified a sophisticated Supply Chain Attack targeting the official Checkmarx KICS (Keeping Infrastructure as Code Secure) ecosystem. According to The Hacker News, security firm Socket discovered that unauthorized threat actors managed to gain access to the official checkmarx/kics Docker Hub repository. The attackers leveraged this access to overwrite existing legitimate tags and introduce unauthorized versions, creating a significant risk for organizations utilizing automated scanning in their CI/CD pipelines.

KICS is a widely used open-source solution for finding security vulnerabilities, compliance issues, and infrastructure misconfigurations in Infrastructure as Code (IaC) files. Because many DevOps teams integrate KICS directly into their build processes via Docker containers, the compromise of the official repository allows attackers to execute arbitrary code within highly sensitive environments.

Technical Analysis of the Hijacked Repository

The breach involved the manipulation of several critical image tags. The threat actors successfully overwrote the v2.1.20 and alpine tags—versions that are commonly pulled by automated scripts. Furthermore, the attackers introduced a new v2.1.21 tag, which notably does not correspond to any official release from the Checkmarx development team. By overwriting stable tags, the attackers ensured that any organization performing a routine pull of the software would unknowingly download and execute the malicious payload.

This incident highlights a systemic weakness in container security: tag mutability. When a SOC or engineering team configures a pipeline to pull checkmarx/kics:v2.1.20, they assume the content is static. However, Docker Hub allows repository owners (or those who have compromised their credentials) to push new images to old tags. This TTP is highly effective for stealthy persistence, as it requires no configuration changes on the victim’s part to trigger the execution of malicious code, potentially leading to RCE or the exfiltration of environment variables and secrets.

How to Detect Malicious KICS Docker Images

For organizations concerned about potential exposure, determining how to detect malicious KICS Docker images is a priority. Defenders should immediately compare the SHA-256 manifests of their local or cached images against the known-good hashes provided in official Checkmarx release notes. Any discrepancy in the image ID or digest indicates a high probability of compromise. Furthermore, organizations should review their SIEM logs for unusual outbound network traffic originating from build runners or developer workstations that recently pulled the affected KICS tags, which could indicate a C2 connection.

Impact on Development Workflows

The threat extends beyond Docker containers into the developer IDE. Reports indicate that malicious VS Code extensions associated with the KICS ecosystem were also part of the campaign. This multi-vector approach targets the Supply Chain Attack surface at two points: the automated build server and the developer’s local environment. Preventing malicious VS Code extensions in a corporate setting requires strict allow-listing of publishers and the use of EDR solutions to monitor the behavior of extension host processes. If a developer unknowingly installed a compromised extension, the threat actor could achieve Privilege Escalation or move laterally within the internal network.

Mitigation and Detection Strategies

To remediate the checkmarx/kics repository compromise, security teams must move away from mutable tag references. The most effective defense against this category of attack is to pin images by their immutable SHA-256 digest rather than a version tag. For example, instead of pulling checkmarx/kics:alpine, pipelines should use checkmarx/kics@sha256:[hash].

Additional recommendations include:

• Registry Proxying: Utilize a private container registry (like Artifactory or Harbor) to scan and gate images before they are made available to internal build systems.
• Audit Identity and Access: Checkmarx and other vendors must enforce strict MFA for all repository maintainers to prevent credential hijacking.
• Behavioral Monitoring: Use MITRE ATT&CK frameworks to map potential post-exploitation behaviors, such as unexpected script execution from within a containerized scanning tool.

Immediate rotation of any secrets or API keys that were present in environments where the malicious KICS images were executed is strongly advised, as the IoC of this campaign suggests a high interest in credential harvesting.