- Malicious images were uploaded to the official Checkmarx Docker Hub repository for its KICS security tool.
- The compromised software could scan infrastructure files, collect sensitive data like credentials, and exfiltrate it to external endpoints.
- The incident appears to be part of a broader supply chain compromise affecting multiple Checkmarx distribution channels, including Visual Studio Code extensions.
- Organizations that used the affected tool should treat any exposed secrets from scans as compromised.
Cybersecurity researchers revealed on April 22, 2026, that unknown threat actors compromised the official Docker Hub repository for Checkmarx‘s KICS infrastructure security scanning tool. According to an alert by software supply chain security company Socket, malicious images overwritten existing tags and introduced a new unauthorized version. Consequently, the Docker repository has been archived.
Analysis indicated the poisoned binary was modified to include data collection and exfiltration capabilities absent in the legitimate version. The malware could reportedly generate an uncensored scan report, encrypt it, and send it to an external endpoint. Meanwhile, further investigation uncovered that related Checkmarx developer tooling may also have been affected, such as recent Microsoft Visual Studio Code extension releases containing malicious code to download and run a remote addon.
“The evidence suggests this is not an isolated Docker Hub incident, but part of a broader supply chain compromise affecting multiple Checkmarx distribution channels,” Socket noted. Organizations that may have used the affected KICS image to scan Terraform, CloudFormation, or Kubernetes configurations should therefore treat any secrets or credentials exposed during those scans as likely compromised.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
