Supply Chain Attack Targets Checkmarx KICS Tool via Docker and VSCode Extensions

Supply Chain Attack Targets Checkmarx KICS Tool via Docker and VSCode Extensions

First seen 24 Apr 2026, 07:55 UTC ThehackernewsBleepingcomputercheckmarx.com 85% similarity 74.0

Article Content

Browse articles
ThreatCluster

Hackers have compromised Docker images and VSCode extensions for the Checkmarx KICS analysis tool, which is used to identify security vulnerabilities in source code. The attack involved a trojanized KICS Docker image that was available on the official Docker Hub repository between April 22, 2026, 14:17:59 UTC and April 22, 2026, 15:41:31 UTC. The malicious images included a hidden 'MCP addon' feature that downloaded credential-stealing malware. This malware targets sensitive data processed by KICS, such as GitHub tokens and cloud credentials, encrypting and exfiltrating them to a domain designed to impersonate Checkmarx. Developers who downloaded the compromised images are advised to rotate their secrets and rebuild their environments. The attack has been linked to the TeamPCP hackers, although attribution remains uncertain. Checkmarx has removed the malicious artifacts and is investigating the incident with external experts.

Key Points: • Checkmarx KICS tool was compromised via malicious Docker images and VSCode extensions. • Sensitive data such as GitHub tokens and cloud credentials were targeted and exfiltrated. • Developers are advised to rotate secrets and rebuild environments after the incident.

ThreatCluster AI

Timeline

2026-04-22
Malicious Docker images available on Docker Hub.
2026-04-22
Attack timeframe for compromised KICS images.
2026-04-23
BleepingComputer reports on the incident.
2026-04-23
Checkmarx removes malicious artifacts and issues security bulletin.

Community

Browse all →