Malicious Docker Images and VS Code Extensions Compromise Checkmarx KICS Supply Chain
What Happened – Threat actors hijacked the official checkmarx/kics Docker Hub repository, overwriting legitimate tags (e.g., v2.1.20, alpine) and publishing a rogue v2.1.21 image that never existed. The same actors also uploaded malicious Visual Studio Code extensions purporting to be official KICS add‑ons, potentially delivering payloads to developers who install them.
Why It Matters for TPRM –
- Supply‑chain compromise of a widely‑used IaC scanning tool can introduce malware into downstream CI/CD pipelines.
- Third‑party risk assessments must now consider the integrity of container registries and extension marketplaces as part of vendor security hygiene.
- Organizations that rely on Checkmarx KICS may unknowingly propagate malicious code to production environments.
Who Is Affected – Technology / SaaS vendors, DevOps teams, cloud‑native developers, and any organization that pulls KICS Docker images or installs the associated VS Code extensions.
Recommended Actions –
- Immediately verify the provenance of all KICS Docker images and VS Code extensions in use; replace any from the compromised tags with known‑good versions.
- Enforce signed image policies (e.g., Docker Content Trust) and extension signing where possible.
- Review Checkmarx’s remediation guidance and monitor for further supply‑chain alerts.
Technical Notes – Attack vector: third‑party dependency compromise via Docker Hub and VS Code Marketplace. No specific CVE disclosed; the malicious payloads appear to be custom backdoors embedded in the container layers and extension binaries. Data types at risk include source code, infrastructure‑as‑code templates, and any secrets baked into CI pipelines. Source: https://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html