Hackers accept as true with compromised Docker photography, VSCode and Start VSX extensions for the Checkmarx KICS analysis software to harvest sensitive data from developer environments.
KICS, brief for Preserving Infrastructure as Code Accurate, is a free, open-supply scanner that helps developers title security vulnerabilities in supply code, dependencies, and configuration data.
The software is regularly bustle within the community via CLI or Docker, and processes sensitive infrastructure configs that continually grasp credentials, tokens, and inner architecture particulars.
Dependency security company Socket investigated the incident after receiving an alert from Docker about malicious photography pushed to the reliable checkmarx/kics Docker Hub repository.
The investigation printed that the compromise prolonged beyond the trojanized KICS Docker characterize to VS Code and Start VSX extensions that downloaded a hidden ‘MCP addon’ feature designed to get grasp of the vital-stealing malware.
Socket chanced on that the ‘MCP addon’ feature downloaded from a hardcoded GitHub URL “a multi-stage credential theft and propagation component” as mcpAddon.js.
In accordance to the researchers, the malware targets precisely the information processed by KICS, in conjunction with GitHub tokens, cloud (AWS, Azure, Google Cloud) credentials, npm tokens, SSH keys, Claude configs, and ambiance variables.
It then encrypts it and exfiltrates it to audit.checkmarx[.]cx, a web train designed to impersonate legitimate Checkmarx infrastructure. Furthermore, public GitHub repositories are mechanically created for data exfiltration.
Robotically created GitHub repositories Source: Socket
It is excessive to elaborate that Docker tags had been temporarily repointed to a malicious digest, so the impression relies on when they had been pulled. The unsafe timeframe for the DockerHub KICS characterize modified into once from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC.
Affected tags accept as true with now been restored to their legitimate characterize digests, and the counterfeit v2.1.21 set modified into once deleted fully.
Builders who accept as true with downloaded the above ought to restful take into narrative their secrets and systems compromised, rotate them as rapidly as capacity, and rebuild their environments from a known stable level.
Whereas the TeamPCP hackers, responsible for the broad Trivy and LiteLLM present-chain compromise, claimed the assault publicly, the researchers would perhaps per chance per chance now not get sufficient proof beyond pattern-primarily primarily based correlations to confidently attribute it.
BleepingComputer has reached out to Checkmarx, an utility security attempting out company, for a assertion, but a commentary wasn’t directly obtainable.
In the meantime, the company published a security bulletin about the incident, assuring users that all malicious artifacts were eradicated, and their exposed credentials had been revoked and circled.
The company is currently investigating with abet from exterior experts and has promised to give more data because it turns into obtainable.
Customers of the compromised software are urged to block receive admission to to ‘checkmarx.cx => 91[.]195[.]240[.]123’ and ‘audit.checkmarx.cx => 94[.]154[.]172[.]43,’ use pinned SHAs, revert to known stable versions, and rotate secrets and systems and credentials if compromise is suspected or confirmed.
The most modern stable versions of the compromised projects are: DockerHub KICS v2.1.20, Checkmarx ast-github-motion v2.3.36, Checkmarx VS Code extensions v2.64.0, and Checkmarx Developer Attend extension v1.18.0.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of newest exploits is coming.
On the Self reliant Validation Summit (May per chance well merely 12 & 14), gaze how self sufficient, context-rich validation finds what’s exploitable, proves controls like, and closes the remediation loop.
.jpg)
