A significant supply chain attack has been uncovered involving compromised Docker images and malicious Visual Studio Code extensions linked to Checkmarx’s KICS security tool. The incident highlights growing risks within developer ecosystems, where trusted tools and repositories are increasingly being targeted by threat actors.
Security researchers revealed that attackers infiltrated the official “checkmarx/kics” Docker Hub repository and replaced legitimate images with trojanized versions. These malicious images were distributed under trusted tags such as v2.1.20 and alpine, making them appear authentic to developers who rely on these versions in their workflows.
In addition to overwriting existing tags, the attackers introduced a new version labeled v2.1.21, which did not correspond to any official release. This tactic allowed the malicious images to blend into the repository while delivering hidden payloads capable of compromising developer environments.
The compromised Docker images were designed to exfiltrate sensitive data, including developer credentials and infrastructure secrets. By targeting widely used development tools, the attackers were able to position themselves deep within software supply chains, increasing the potential impact across organizations that unknowingly pulled these images.
The attack also extended beyond Docker images, with researchers identifying suspicious and potentially malicious code extensions tied to the same broader campaign. These extensions further amplified the threat by targeting integrated development environments, creating multiple entry points for attackers within the software development lifecycle.
As a response to the incident, the affected Docker repository has been archived, and organizations are being urged to review their systems for any compromised components. The breach underscores the critical need for stricter verification, monitoring, and security controls across software supply chains, especially as developers increasingly depend on third-party tools and open-source ecosystems.
