Attackers hijacked official Checkmarx KICS Docker Hub images and VS Code extensions to steal cloud credentials silently, CI/CD secrets, and developer tokens as part of a sweeping supply chain campaign by the threat group TeamPCP, which has now targeted multiple security tools.
Cybersecurity researchers disclosed a serious supply chain compromise affecting the official Checkmarx KICS (Keeping Infrastructure as Code Secure) Docker Hub repository and related VS Code extensions.
Docker flagged suspicious activity on the checkmarx/kics Docker Hub repository and alerted Socket, whose investigation found that attackers had overwritten existing image tags, including v2.1.20 and alpine and pushed a fraudulent v2.1.21 tag with no corresponding upstream release.
Checkmarx KICS Docker Images Hijack
The incident is a developing story with Checkmarx disclosing the supply chain event on March 23, 2026. The poisoned KICS binary had been covertly modified to include unauthorized data collection and exfiltration capabilities not present in the legitimate version.
The malware was engineered to generate an uncensored scan report of the target environment, encrypt it, and transmit it to an attacker-controlled external endpoint.
For organizations that routinely use KICS to scan Terraform, CloudFormation, or Kubernetes configuration files, any secrets, API keys, or cloud credentials embedded in those files must be considered potentially exfiltrated.
The compromise extends well beyond Docker Hub. Researchers also identified suspicious behavior embedded in recent VS Code and Open VSX extension releases for Checkmarx tooling. Specifically:
- Versions 1.17.0 and 1.19.0 introduced code that downloads and executes a remote addon via the Bun runtime
- The behavior was quietly removed in version 1.18.0, then reintroduced in 1.19.0, suggesting deliberate and persistent backdooring
- The malicious code relies on a hardcoded GitHub URL to fetch and execute additional JavaScript with zero user confirmation or integrity verification
Further analysis revealed that the VS Code extensions delivered a second-stage payload named mcpAddon.js, which checked whether the victim had credentials for at least one cloud provider: GitHub, AWS, Google Cloud, or Microsoft Azure.
If credentials were detected, a next-stage payload was pulled from the attacker-controlled C2 domain checkmarx[.]zone. Stolen tokens and secrets were then compressed and exfiltrated via HTTPS https://audit.checkmarx[.]cx/v1/telemetry.
Researchers found that the compromised Docker images bundled an ELF binary written in Golang named kics. Although it mimics the legitimate KICS scanner’s functionality on the surface, it shares the same Command and Control (C2) server address as mcpAddon.js, indicating coordinated infrastructure across both attack vectors.
The malware performed memory dumps of CI/CD runner processes, reading /proc/<pid>/mem to extract secrets stored within GitHub Actions Runner worker process memory. It then harvested developer and cloud credentials, compressed them, and exfiltrated them both to external endpoints and to attacker-created public GitHub repositories under victim accounts.
This attack is not an isolated incident. It is part of a broader, multi-week campaign by the threat actor group TeamPCP. The group first compromised Aqua Security’s Trivy scanner on March 19, 2026, before pivoting to Checkmarx tools using stolen CI/CD credentials.
Between 12:58 and 16:50 UTC on March 23, 2026, TeamPCP compromised the checkmarx/ast-github-action and checkmarx/kics-github-action GitHub Actions workflows that inject malicious payloads into all 35 Git tags.
Any CI/CD pipeline that referenced these actions during that window silently exfiltrated API keys, database passwords, cloud access tokens, SSH keys, and service account credentials. The incident was assigned CVE-2026-33634.
TeamPCP’s infrastructure leverages typosquatting-style domains checkmarx[.]zone to impersonate Checkmarx branding and even abused stolen GitHub tokens to inject new malicious Actions workflows, creating worm-like propagation across dependent repositories.
The group also used stolen npm credentials to identify writable packages for downstream republishing, effectively turning each compromised developer environment into a new infection vector.
The attack surface is significant. Any workflow that executed checkmarx/kics-github-action between 12:58 and 16:50 UTC on March 23, 2026, must be treated as fully compromised.
The VS Code Marketplace versions were reportedly not affected, but the Open VSX extension versions were confirmed to be trojanized. Organizations using Checkmarx developer tooling across Docker, GitHub Actions, and VS Code environments face compounded risk due to the multi-vector nature of this campaign.
Remediation
If your organization may have been affected, take these steps immediately:
- Rotate all secrets, treat every credential, token, SSH key, and API key exposed to affected KICS scans as compromised
- Audit CI/CD pipeline logs for the March 23, 2026 window (12:58–16:50 UTC)
- Remove or downgrade affected VS Code extension versions (1.17.0 and 1.19.0) immediately
- Pin GitHub Actions by commit SHA, not by tag, to prevent tag-overwrite attacks
- Audit Docker image digests do not rely on mutable tags like
latestoralpine - Review npm packages for any suspicious republished versions associated with compromised credentials.
Checkmarx confirmed they identified and contained the incident, with the compromised GitHub Actions taken down by 16:50 UTC on March 23.
Socket has disclosed all findings to the Checkmarx team and stated that a full technical analysis will follow as the investigation continues.
FAQ
Q1: Which KICS Docker image tags were compromised?
Tags v2.1.20, alpine, and the fake v2.1.21 images were overwritten with malicious images on Docker Hub.
Q2: Were VS Code Marketplace extensions affected?
Not only were Open VSX extension versions 1.17.0 and 1.19.0 confirmed compromised, but VS Code Marketplace versions were not affected.
Q3: What data did the malware steal?
The malware exfiltrated cloud credentials, CI/CD secrets, SSH keys, API tokens, and encrypted IaC scan reports containing sensitive configuration data.
Q4: Who is behind the Checkmarx supply chain attack?
The threat group TeamPCP orchestrated the attack, the same actor that previously compromised Aqua Security’s Trivy scanner starting March 19, 2026.
Site: https://thecybrdef.com
About the Author
