Supply Chain Attack Targets Checkmarx KICS Tool via Docker and VSCode Extensions

Severity: High (Score: 74.0)

Sources: checkmarx.com, Thehackernews, Bleepingcomputer

Summary

Hackers have compromised Docker images and VSCode extensions for the Checkmarx KICS analysis tool, which is used to identify security vulnerabilities in source code. The attack involved a trojanized KICS Docker image that was available on the official Docker Hub repository between April 22, 2026, 14:17:59 UTC and April 22, 2026, 15:41:31 UTC. The malicious images included a hidden 'MCP addon' feature that downloaded credential-stealing malware. This malware targets sensitive data processed by KICS, such as GitHub tokens and cloud credentials, encrypting and exfiltrating them to a domain designed to impersonate Checkmarx. Developers who downloaded the compromised images are advised to rotate their secrets and rebuild their environments. The attack has been linked to the TeamPCP hackers, although attribution remains uncertain. Checkmarx has removed the malicious artifacts and is investigating the incident with external experts. Key Points: • Checkmarx KICS tool was compromised via malicious Docker images and VSCode extensions. • Sensitive data such as GitHub tokens and cloud credentials were targeted and exfiltrated. • Developers are advised to rotate secrets and rebuild environments after the incident.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• Checkmarx (company)
• AWS (company)
• Azure (company)
• Open VSX (company)
• audit.checkmarx.cx (domain)
• checkmarx.cx (domain)
• T1003 - OS Credential Dumping (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• T1203 - Exploitation for Client Execution (mitre_attack)
• T1567.002 - Exfiltration to Cloud Storage (mitre_attack)
• Docker (tool)
• Google Cloud (tool)
• VS Code (tool)
• Docker Hub (platform)
• GitHub (platform)