



























Docker alerted Socket to malicious images pushed to the official checkmarx/kics Docker Hub repository after internal monitoring flagged suspicious new activity around KICS image tags. Our investigation found that attackers appear to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to a legitimate upstream release.
Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version. Our investigation found evidence that the malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data.
As Socket researchers dug deeper, the incident quickly expanded beyond poisoned container images. In addition to the trojanized KICS image, we found signs that related Checkmarx developer tooling may also have been affected, including recent VS Code extension releases that introduced code capable of downloading and executing a remote addon through the Bun runtime. Analysis of those releases found that the behavior appeared in versions 1.17.0 and 1.19.0, was removed in 1.18.0, and relied on a hardcoded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification.
Early analysis of the poisoned KICS image found that the bundled binary had been modified to include unauthorized telemetry and exfiltration functionality not present in the legitimate version. Based on current evidence, organizations that used the affected image to scan Terraform, CloudFormation, or Kubernetes configurations should consider any secrets or credentials exposed to those scans potentially at risk. The evidence suggests this is not an isolated Docker Hub incident, but part of a broader supply chain compromise affecting multiple Checkmarx distribution channels.
We are crediting Docker for catching the suspicious image push and notifying us. Their alert enabled rapid investigation into what appears to be another serious supply chain compromise affecting Checkmarx’s KICS distribution.
This is a developing story. We have disclosed our findings to the Checkmarx team and will publish full technical analysis as our investigation continues.
UPDATE: Several checkmarx/kics tags were updated to point to the malicious digest and have since been restored to the prior legitimate release. The affected tags included v2.1.20-debian, v2.1.20, debian, alpine, and latest. The v2.1.21 tag has since been deleted.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。