Post
🚨 DEVELOPING STORY: Malicious artifacts found in the official @Checkmarx KICS Docker Hub repository and VS Code extensions.
@Docker flagged suspicious activity on the checkmarx/kics Docker Hub repo and alerted Socket. Our investigation found that attackers overwrote existing image tags (including v2.1.20 and alpine) and pushed a fake v2.1.21 tag with no corresponding upstream release.
The poisoned KICS binary was modified to collect and exfiltrate data. It could generate an uncensored scan report, encrypt it, and send it to an external endpoint. If you use KICS to scan Terraform, CloudFormation, or Kubernetes configs, that means credentials and secrets in those files were potentially exfiltrated.
This goes beyond DockerHub. We also found suspicious VS Code extension releases for Checkmarx tooling:
• Versions 1.17.0 and 1.19.0 introduced code that downloads and executes a remote addon via the Bun runtime
• The behavior was removed in 1.18.0, then reappeared in 1.19.0
• Relies on a hardcoded GitHub URL to fetch and run JavaScript with no user confirmation or integrity verification
This looks like a broader supply chain compromise affecting multiple Checkmarx distribution channels.
Credit to Docker for catching the suspicious image push and notifying us. Their monitoring enabled rapid investigation.
If your org used the affected KICS image, treat any secrets or credentials exposed to those scans as potentially compromised. Rotate them now.
Developing story... We've disclosed to the Checkmarx team and will publish full technical analysis as the investigation continues.
English
@baseawan jimel fresh sama rp selfol f banyak
Indonesia
As a parent, you’ll go the extra mile for your kid’s dreams. Alec's parent did. (See photo)
We built next-level batting cages powered by AIR. Contact us at inmotionair
English
@baseawan mauu acc masup ht dunk ksoongan gpp
Indonesia