Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain

Supply‑chain attacks have moved beyond traditional package hijacking to target the very tools developers trust for security. By compromising the official Checkmarx KICS Docker images and several VS Code extensions, the attackers gained a foothold in environments that routinely scan Terraform, CloudFormation, and Kubernetes manifests. The malicious binaries not only collect sensitive configuration data but also encrypt and forward it to a dedicated endpoint, turning a defensive scanner into a data‑exfiltration vector. This tactic underscores the growing sophistication of threat actors who blend credential theft with supply‑chain propagation, leveraging stolen GitHub tokens to spin up fake repositories and inject rogue Actions workflows that silently siphon CI/CD secrets.

The attack chain’s second stage exploits the developer’s own cloud and npm credentials. Once the mcpAddon.js module is executed, it harvests AWS, Azure, GCP, and NPM tokens, then creates public GitHub repositories that store the stolen data as JSON files. By injecting a .github/workflows/format‑check.yml file into compromised repositories, the malware triggers automated runs that capture additional secrets before self‑deleting to evade detection. The final propagation vector repackages up to 250 npm packages under the victim’s identity, spreading the payload across the broader JavaScript ecosystem. Such multi‑stage worm‑like behavior amplifies the impact far beyond the initial compromised host, threatening downstream supply chains and open‑source consumers.

For organizations, the breach serves as a stark reminder to enforce strict provenance controls. Pinning Docker image SHAs, validating extension signatures, and employing SBOMs can limit exposure to tampered artifacts. Immediate remediation steps include removing affected images and extensions, rotating all compromised credentials, and auditing GitHub for unauthorized repositories or workflows. Blocking outbound traffic to the identified audit.checkmarx.cx domain and monitoring for anomalous network traffic further reduces the attack surface. As supply‑chain threats continue to evolve, a proactive, layered security posture—combining code signing, runtime integrity checks, and continuous credential hygiene—is essential to protect modern DevOps pipelines.