Checkmarx KICS supply chain hit: Docker images and VSCode extensions weaponized

Attackers pushed trojanized versions of Checkmarx’s KICS scanner to Docker Hub and compromised the associated VS Code and Open VSX extensions, turning a security tool into a credential harvester. The extensions pulled a hidden ‘MCP addon’ component from a hardcoded GitHub URL, loading a multi-stage payload called mcpAddon.js that targeted exactly the material KICS processes — GitHub tokens, AWS/Azure/GCP credentials, npm tokens, SSH keys, Claude configs, and environment variables. Stolen data was encrypted and exfiltrated to audit.checkmarx[.]cx, a lookalike domain, and to auto-created public GitHub repositories.

The malicious Docker digest was live on the official checkmarx/kics repo for roughly 84 minutes on 2026-04-22 (14:17–15:41 UTC), with a rogue v2.1.21 tag since deleted and legitimate digests restored. Socket surfaced the intrusion after a Docker alert. TeamPCP — the group behind the Trivy and LiteLLM compromises — publicly claimed it, but researchers stopped short of attribution, citing only pattern-level overlap.

Blast radius is bounded by pull window but severe for anyone caught inside it: a KICS install runs against infrastructure-as-code loaded with secrets, so any pull during the exposure should be treated as full credential compromise. Safe versions are KICS v2.1.20, ast-github-action v2.3.36, VS Code extensions v2.64.0, and Developer Assist v1.18.0. Block checkmarx.cx and audit.checkmarx.cx, pin by SHA rather than tag, and rotate everything the tool touched.