Hackers have compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments.
KICS, short for Keeping Infrastructure as Code Secure, is a free, open-source scanner that helps developers identify security vulnerabilities in source code, dependencies, and configuration files.
The tool is typically run locally via CLI or Docker, and processes sensitive infrastructure configs that often contain credentials, tokens, and internal architecture details.
Dependency security company Socket investigated the incident after receiving an alert from Docker about malicious images pushed to the official checkmarx/kics Docker Hub repository.
The investigation revealed that the compromise extended beyond the trojanized KICS Docker image to VS Code and Open VSX extensions that downloaded a hidden ‘MCP addon’ feature designed to fetch the secret-stealing malware.
Socket found that the ‘MCP addon’ feature downloaded from a hardcoded GitHub URL “a multi-stage credential theft and propagation component” as mcpAddon.js.
According to the researchers, the malware targets precisely the data processed by KICS, including GitHub tokens, cloud (AWS, Azure, Google Cloud) credentials, npm tokens, SSH keys, Claude configs, and environment variables.
It then encrypts it and exfiltrates it to audit.checkmarx[.]cx, a domain designed to impersonate legitimate Checkmarx infrastructure. Moreover, public GitHub repositories are automatically created for data exfiltration.
.jpg)
Source: Socket
It is important to clarify that Docker tags were temporarily repointed to a malicious digest, so the impact depends on when they were pulled. The dangerous timeframe for the DockerHub KICS image was from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC.
Affected tags have now been restored to their legitimate image digests, and the fake v2.1.21 tag was deleted entirely.
Developers who have downloaded the above should consider their secrets compromised, rotate them as soon as possible, and rebuild their environments from a known safe point.
While the TeamPCP hackers, responsible for the massive Trivy and LiteLLM supply-chain compromise, claimed the attack publicly, the researchers could not find sufficient evidence beyond pattern-based correlations to confidently attribute it.
BleepingComputer has reached out to Checkmarx, an application security testing company, for a statement, but a comment wasn’t immediately available.
Meanwhile, the company published a security bulletin about the incident, assuring users that all malicious artifacts have been removed, and their exposed credentials were revoked and rotated.
The firm is currently investigating with help from external experts and has promised to provide more information as it becomes available.
Users of the compromised tool are recommended to block access to ‘checkmarx.cx => 91[.]195[.]240[.]123’ and ‘audit.checkmarx.cx => 94[.]154[.]172[.]43,’ use pinned SHAs, revert to known safe versions, and rotate secrets and credentials if compromise is suspected or confirmed.
The latest safe versions of the compromised projects are: DockerHub KICS v2.1.20, Checkmarx ast-github-action v2.3.36, Checkmarx VS Code extensions v2.64.0, and Checkmarx Developer Assist extension v1.18.0.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
