Checkmarx KICS supply chain pushes credential-stealing code via Docker and IDE
TL;DR - Attackers pushed malicious artifacts into Checkmarx's official Docker Hub repository, GitHub Action, and IDE extensions on April 22, 2026. The payload stole GitHub tokens, cloud credentials, SSH keys, and environment variables, exfiltrating them to attacker-controlled infrastructure. If you pulled any of the affected tags during the windows listed below, treat all secrets accessible to those jobs or machines as compromised.
What happened
KICS (Keeping Infrastructure as Code Secure) is Checkmarx's open-source IaC scanner. Teams run it in CI pipelines via Docker images and GitHub Actions to scan Terraform, Kubernetes manifests, and other infrastructure definitions. It runs with access to the same environment secrets your build jobs carry.
BleepingComputer reported that on April 22, attackers pushed malicious artifacts across multiple Checkmarx distribution channels: the official checkmarx/kics Docker Hub repository, the checkmarx/ast-github-action, and Checkmarx IDE extensions for VS Code and Open VSX.
Checkmarx's incident update, dated April 22, 2026, states the malicious artifacts were time-bounded and did not overwrite previously published known-safe versions. According to that update, Checkmarx removed the malicious artifacts, revoked and rotated exposed credentials, blocked outbound access to attacker-controlled infrastructure, reviewed environments for further signs of compromise, and initiated a third-party forensic investigation.
The malicious payload involved a hidden "MCP addon" feature that harvested GitHub tokens, cloud credentials, npm tokens, SSH keys, and environment variables, then exfiltrated them to infrastructure including audit.checkmarx[.]cx.
This is the worst-case shape for a platform supply-chain attack. Mutable tags and auto-updating IDE plugins place credential-stealing code directly inside CI runners and developer workstations - exactly where broad secret access lives.
Who is impacted
- Teams that pulled Checkmarx artifacts during the affected windows, particularly in CI where KICS and AST runs have access to cloud credentials, GitHub tokens, and other build secrets.
- Developers with auto-update enabled for Checkmarx IDE marketplace extensions.
| Artifact | Affected identifiers | Time window (UTC, per Checkmarx) |
|---|---|---|
checkmarx/kics Docker image (Docker Hub) | v2.1.20-debian, v2.1.21-debian, debian, v2.1.21, v2.1.20, alpine, latest (and other listed tag variants) | 2026-04-22 12:31:35.883 to 2026-04-22 12:59:46.562 |
checkmarx/ast-github-action (GitHub) | 2.3.35 | 2026-04-22 14:17:59 to 2026-04-22 15:41:31 |
Checkmarx ast-results VS Code extension | 2.63, 2.66 | Timeframe "to be confirmed" |
Checkmarx cx-dev-assist Developer Assist extension | 1.17, 1.19 | Timeframe "to be confirmed" |
What to do now
- Block attacker-controlled infrastructure immediately. Checkmarx listed the following domains and IPs:
checkmarx.cx=>91[.]195[.]240[.]123audit.checkmarx.cx=>94[.]154[.]172[.]43
- Pin image references to SHAs rather than mutable tags. Review or disable auto-update settings in IDE marketplaces.
- Inventory your exposure across every CI job and developer machine:
- Identify any jobs that pulled the affected Docker tags during the windows above.
- Identify any workflows that used
checkmarx/[email protected]during the same period. - Enumerate installed Checkmarx IDE extensions and confirm whether installed versions match the affected tags.
- Move to the known-safe versions Checkmarx identified:
checkmarx/kicsDocker image:latest,v2.1.20,alpine,debiancheckmarx/ast-github-action:v2.3.36- Checkmarx VS Code extensions:
v2.67.0 - Checkmarx Developer Assist extension:
v1.18.0
- Rotate secrets broadly if any affected artifact ran in your environment. Scope this like a CI credential exposure event: review workflow run logs and audit trails around the affected windows, then rotate every credential available to those jobs - cloud keys, GitHub tokens, npm tokens, SSH keys, and any environment variables present at build time.
Why this matters for AppSec
Mutable container tags and auto-updating IDE plugins are trust assumptions that most teams never consciously make - but they do, every time a CI job runs docker pull checkmarx/kics:latest or a developer's editor silently installs an update.
This incident makes the threat model concrete:
- Mutable tags are implicit trust delegation. When you pin to
latestor a named tag rather than a digest, you're trusting whoever controls that registry path in perpetuity. - CI runners are high-value targets. A scanner that runs across your IaC has access to the same secrets as your deployment pipeline. That's a significant blast radius.
- IDE extensions are an underguarded surface. Auto-update in a marketplace means your developer workstation is also a pull-based deployment target. Developers carry database credentials, cloud keys, and personal access tokens.
- Time-bounded attacks are hard to detect. A 28-minute window on a Docker tag leaves a narrow detection surface unless you're logging image digests at pull time.
The short-term fix is rotating secrets. The longer-term fix is pinning every third-party tool to a digest and auditing that list regularly.
Related
Training
- Dependency and Supply Chain ManagementSBOMs, lock files, and surviving the next big supply chain attack.
- Artifact Signing and ProvenanceSigstore, SLSA, and proving your software is what you say it is.
- Infrastructure as CodeTerraform, Pulumi, CloudFormation - and the security foot-guns in declarative infra.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.