Malicious KICS Docker Images and VS Code Extensions Hijack Checkmarx Supply Chain

The Hacker News reports a critical software supply chain attack targeting Checkmarx’s KICS (Key Infrastructure as Code Security) product. Malicious images were pushed to the official “checkmarx/kics” Docker Hub repository. Threat actors reportedly overwrote existing tags, including v2.1.20 and alpine, and introduced a rogue v2.1.21 tag that does not correspond to any legitimate release. This indicates a compromise of Checkmarx’s Docker Hub account or their CI/CD pipeline.

This incident extends beyond Docker images, with The Hacker News also highlighting malicious VS Code extensions. This dual-pronged attack vector demonstrates a sophisticated approach to poisoning development environments and build processes. Developers pulling these compromised images or installing the malicious extensions would unknowingly integrate backdoors or data exfiltration capabilities directly into their projects, potentially leading to widespread compromise across their organizations.

For defenders, this is a stark reminder that even trusted software supply chains are under constant assault. The attacker’s calculus here is clear: compromise a widely used security tool to gain a foothold in hundreds, if not thousands, of downstream development environments. This isn’t just about a single vulnerability; it’s about subverting the very tools meant to secure our code.