Threat actors compromised the official Docker images and VSCode/Open VSX extensions for Checkmarx's KICS open-source Infrastructure-as-Code scanner, weaponizing the developer security tool to harvest credentials, cloud keys, and configuration secrets directly from engineering environments. Socket researchers, alerted by Docker to malicious images in the official checkmarx/kics repository, confirmed the trojanized artifacts pulled multi-stage credential theft malware staged from a hardcoded GitHub URL. Checkmarx has confirmed the incident, removed the malicious artifacts, and rotated exposed credentials.

What Happened

Socket's investigation began after Docker flagged malicious images pushed to the official checkmarx/kics Docker Hub repository. The compromise extended beyond the container image to the corresponding VSCode and Open VSX extensions, both of which downloaded a hidden "MCP addon" feature engineered to fetch secret-stealing payloads.

The MCP addon retrieved a file named mcpAddon.js from a hardcoded GitHub URL, described by Socket as "a multi-stage credential theft and propagation component." The malicious Docker tags were temporarily repointed to a hostile digest between 2026-04-22 14:17:59 UTC and 2026-04-22 15:41:31 UTC. Affected tags have since been restored to their legitimate digests, and a fake v2.1.21 tag was deleted entirely. Checkmarx published a security bulletin and is investigating with external experts.

What Was Taken

The malware was tuned precisely to the data developers process when running KICS against their IaC repositories. Targeted artifacts include:

• GitHub personal access tokens
• AWS, Azure, and Google Cloud credentials
• npm authentication tokens
• SSH private keys
• Claude configuration files
• Environment variables containing secrets

Stolen data was encrypted and exfiltrated to audit.checkmarx[.]cx, a typosquat domain crafted to impersonate legitimate Checkmarx infrastructure. The malware also automatically created public GitHub repositories under victim accounts as a secondary exfiltration channel, effectively turning compromised developer credentials into publishing infrastructure for the attackers.

Why It Matters

KICS is run locally by developers and CI pipelines and is purpose-built to ingest highly sensitive infrastructure configurations: Terraform, Kubernetes manifests, CloudFormation templates, and Dockerfiles that frequently contain hardcoded credentials, internal hostnames, and architectural blueprints. Compromising the scanner gives attackers the same level of access as a privileged DevSecOps tool, but with the trust signals of a legitimate open-source security project.

The dual-vector compromise (container registry plus IDE marketplace) raises the blast radius substantially. Even organizations that pin Docker digests may have been exposed through the extension channel, and vice versa. The use of a typosquatted Checkmarx domain for exfiltration is also designed to defeat casual log review, since audit.checkmarx.cx blends into legitimate Checkmarx telemetry traffic at a glance.

The Attack Technique

The operation followed a now-familiar dependency confusion and trusted-channel hijack pattern. Attackers gained sufficient access to push images to the official checkmarx/kics Docker Hub repository and to publish extension updates to both Microsoft's VSCode Marketplace and the Open VSX registry. Rather than embed payloads directly in primary artifacts, the operators added a lightweight "MCP addon" loader stage that fetched mcpAddon.js from GitHub at runtime. This staging approach minimizes the footprint of the initial trojanized artifact, making automated malware scanning less likely to flag the package.

Once executed, the loader harvested developer secrets, encrypted them, and exfiltrated to audit.checkmarx[.]cx. Auto-creation of public GitHub repositories using stolen tokens provided redundancy and propagation potential. The TeamPCP crew, previously linked to the Trivy and LiteLLM supply-chain compromises, publicly claimed responsibility, but Socket researchers noted only pattern-based correlations and declined to firmly attribute the campaign.

What Organizations Should Do

1. Treat all developer secrets as compromised if KICS Docker images or extensions were pulled or updated between 2026-04-22 14:17 UTC and 15:41 UTC, or if extensions were updated in the surrounding window. Rotate GitHub tokens, cloud credentials, npm tokens, SSH keys, and any secrets present in environment variables.
2. Block egress to audit.checkmarx[.]cx at perimeter and DNS layers, and hunt historical proxy and DNS logs for any resolution or connection attempts to that domain.
3. Audit GitHub accounts used by developers and CI for unexpected public repositories, new SSH keys, new OAuth grants, or anomalous personal access token issuance.
4. Pin Docker images by digest, not tag, and rebuild any container images derived from checkmarx/kics from a known-good digest. Verify digests against Checkmarx's official advisory.
5. Inventory and remove the affected VSCode and Open VSX extensions, then reinstall only after confirming the publisher has reissued clean versions. Review extension auto-update settings for high-trust developer tools.
6. Hunt for mcpAddon.js on developer endpoints and CI runners, and review recent outbound traffic from build agents to GitHub raw content endpoints associated with the staging URL.

Sources: New Checkmarx supply-chain breach affects KICS analysis tool - PRSOL:CC