Checkmarx KICS Supply-Chain Breach: What Devs Need to Know

Checkmarx KICS Trojanized in Targeted Supply-Chain Attack

The Checkmarx KICS supply-chain breach is exactly the kind of attack that should make every developer rethink blind trust in official tooling. Hackers compromised Docker images, VS Code extensions, and Open VSX extensions for KICS (Keeping Infrastructure as Code Secure), a widely used open-source IaC scanner. The goal was straightforward: steal credentials from the exact environments where KICS operates, environments packed with cloud configs, tokens, and SSH keys.

Socket uncovered the scope of the compromise after Docker flagged malicious images pushed to the official checkmarx/kics Docker Hub repository. What looked like a single poisoned image turned out to be a multi-vector attack hitting developers across CLI, container, and editor-based workflows.

How the Attack Actually Worked

The attackers embedded a hidden "MCP addon" feature inside the trojanized extensions and images. This addon silently fetched a file called mcpAddon.js from a hardcoded GitHub URL. That file contained a multi-stage credential theft component.

Once running, the malware targeted data that KICS routinely handles:

• GitHub tokens
• AWS, Azure, and Google Cloud credentials
• npm tokens
• SSH keys
• Claude AI configuration files
• Environment variables

Stolen data was encrypted and exfiltrated to audit.checkmarx[.]cx, a domain crafted to impersonate legitimate Checkmarx infrastructure. The malware also automatically created public GitHub repositories as a secondary exfiltration channel, a technique that abuses trusted infrastructure to fly under the radar.

The DockerHub window of exposure was narrow but real: from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC. If you pulled the KICS image during that window, treat all secrets in that environment as compromised.

What's at Risk for Developers

KICS is designed to scan infrastructure-as-code files. By definition, those files often contain some of the most sensitive material in a project. This attack specifically targeted that intersection, tools that need access to secrets to do their job, which makes the blast radius significant.

Any developer who pulled affected images or installed the malicious extensions during the exposure window should assume their cloud credentials, tokens, and SSH keys are in attacker hands. The fake v2.1.21 Docker tag has since been deleted. Affected tags have been restored to legitimate digests. But the damage window already passed.

Attribution remains unconfirmed. The group behind the Trivy and LiteLLM supply-chain attacks publicly claimed responsibility, but Socket's researchers noted the evidence was pattern-based correlation rather than definitive proof.

Protecting Your Developer Environment After a Supply-Chain Compromise

Rotate immediately if you pulled any affected artifacts. That means GitHub tokens, cloud IAM credentials, npm tokens, and SSH keys. Do not wait for confirmation that your specific pull was malicious.

Block network access to these indicators at your firewall or DNS level:

• checkmarx.cx resolving to 91[.]195[.]240[.]123
• audit.checkmarx.cx resolving to 94[.]154[.]172[.]43

Pin Docker image pulls to verified SHAs rather than mutable tags like latest or version strings. The safe versions to revert to are:

• DockerHub KICS: v2.1.20
• checkmarx/ast-github-action: v2.3.36
• Checkmarx VS Code extensions: v2.64.0
• Checkmarx Developer Assist extension: v1.18.0

Rebuild affected environments from a known-clean state. Audit recent CI/CD pipeline runs that used KICS for any anomalous outbound connections or unexpected GitHub repository creation. Running a dependency and configuration scan on your current stack can surface additional exposure you might have missed.

For broader context on supply-chain attack patterns hitting developer tooling, see our coverage at /blog/npm-supply-chain-attacks-2026.

What should I do first if I pulled the KICS image during the exposure window? Rotate all secrets immediately. Start with cloud credentials (AWS, Azure, GCP), then GitHub tokens, npm tokens, and SSH keys. Block the two exfiltration IPs at the network level before doing anything else.

How do I verify my current KICS version is safe? Pin your Docker pulls to the SHA digest of v2.1.20 rather than relying on a tag. Tags are mutable and were exactly what the attackers repointed. Check the Docker Hub page for the verified digest and lock it in your pipeline config.

Could my CI/CD pipeline have been affected even if I didn't use the VS Code extension? Yes. If your pipeline pulls the KICS Docker image by tag rather than digest, and ran between 14:17 and 15:41 UTC on April 22, 2026, it likely pulled the malicious image. Audit your pipeline logs for that timeframe and check for unexpected outbound connections to the flagged IPs.

Scan your infrastructure configs and dependencies for active exposure at VibeWShield.