Cybersecurity experts have issued a warning about malicious images that were uploaded to the official “checkmarx/kics” Docker Hub repository.
According to a recent alert published by Socket, a software supply chain security firm, unidentified threat actors were able to overwrite existing tags such as v2.1.20 and alpine, and introduce a new tag, v2.1.21, which is not associated with an official release. As a precaution, the Docker repository has been archived.
Socket stated, “Analysis of the compromised image revealed that the KICS binary included unauthorized data collection and exfiltration capabilities not found in the authentic version.”
“The malware could generate a tampered scan report, encrypt it, and transmit it to an external destination, posing a significant risk to teams utilizing KICS for scanning infrastructure-as-code files that might contain sensitive data like credentials,” Socket added.
Further investigation into the incident uncovered potential impacts on related Checkmarx developer tools, including recent releases of Microsoft Visual Studio Code extensions that contained malicious code designed to download and execute a remote addon through the Bun runtime.
“The malicious behavior was observed in versions 1.17.0 and 1.19.0, eliminated in 1.18.0, and relied on a hardcoded GitHub URL to fetch and execute additional JavaScript without user consent or integrity verification,” Socket explained.
Companies that utilized the compromised KICS image for scanning Terraform, CloudFormation, or Kubernetes configurations are advised to consider any exposed secrets or credentials during those scans as potentially compromised.
“The evidence indicates that this incident is not an isolated case on Docker Hub, but part of a broader supply chain compromise affecting various Checkmarx distribution channels,” the company emphasized.
The Hacker News has reached out to Checkmarx for additional details, and updates will be provided as soon as we receive a response.
(This story is developing. Stay tuned for more updates.)
