CYBERSECURITY researchers warned of malicious KICS Docker images and VS Code extensions targeting Checkmarx’s supply chain. Unknown threat actors overwritten existing Docker tags, including v2.1.20 and alpine, and added a new v2.1.21 tag that did not correspond to an official release, with the Docker repository subsequently archived.
According to Socket, the poisoned image had a modified KICS binary that included data collection and exfiltration capabilities not present in the legitimate version, enabling the malware to generate an uncensored scan report, encrypt it, and send it to an external endpoint.
Related Checkmarx developer tooling may also have been affected, including two Visual Studio Code extension releases that downloaded and ran a remote addon via the Bun runtime, with versions 1.17.0 and 1.19.0 implicated and 1.18.0 removing the behaviour. The evidence suggests this is part of a broader supply chain compromise affecting multiple Checkmarx distribution channels, and The Hacker News has said it has contacted Checkmarx for further information.