How did the malicious Visual Studio Code extensions operate?

The altered extensions executed remote code without user consent by downloading and running additional JavaScript through the Bun runtime.

What immediate actions should organizations take if they used the compromised tools?

Organizations should treat any credentials or sensitive data exposed during scans with the compromised tools as potentially compromised and take appropriate remediation steps.

Checkmarx Supply Chain Breach: Malicious KICS Docker Images and VS Code Extensions Detected

In April 2026, a significant supply chain attack targeted Checkmarx, compromising KICS Docker images and Visual Studio Code extensions, leading to potential exposure of sensitive data.

Published: April 22, 2026

Share this on:

Executive Summary

In April 2026, Checkmarx's supply chain was compromised when attackers uploaded malicious images to the official 'checkmarx/kics' Docker Hub repository. These images, including versions v2.1.20 and a fraudulent v2.1.21, contained modified KICS binaries with unauthorized data collection and exfiltration capabilities. Additionally, certain Visual Studio Code extensions were altered to execute remote code without user consent. Organizations using these compromised tools to scan infrastructure-as-code files risked exposing sensitive credentials and configurations. (thehackernews.com)

This incident underscores the escalating threat of supply chain attacks targeting widely-used development tools. It highlights the necessity for organizations to implement stringent security measures, such as verifying the integrity of third-party software and continuously monitoring for unauthorized modifications, to safeguard against similar vulnerabilities.

Why This Matters Now

The Checkmarx supply chain compromise highlights the increasing sophistication of attacks targeting development tools, emphasizing the urgent need for organizations to enhance their software supply chain security practices to prevent unauthorized access and data breaches.

Attack Path Analysis

Attackers compromised the Checkmarx KICS Docker Hub repository by overwriting existing tags and introducing a new, unauthorized tag. They modified the KICS binary to include data collection and exfiltration capabilities, enabling the extraction of sensitive information from scanned infrastructure-as-code files. The malicious code established a command-and-control channel to an external endpoint for data exfiltration. The exfiltrated data included uncensored scan reports containing credentials and other sensitive configuration data. The attack impacted organizations using the compromised KICS images, leading to potential exposure of sensitive information.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

High

Exfiltration

High

Impact

Medium

Initial Compromise

Description

Attackers gained access to the Checkmarx KICS Docker Hub repository, overwriting existing tags and introducing a new, unauthorized tag.

Confidence:

High

MITRE ATT&CK® Techniques

Execution

T1204.003

User Execution: Malicious Image

Persistence

T1525

Implant Internal Image

Defense Evasion

T1612

Build Image on Host

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

The introduction of malicious Docker images indicates a failure to protect system components from known vulnerabilities, violating PCI DSS requirement 6.2.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the organization's cybersecurity policy, as required by NYDFS 500.03, to address and mitigate supply chain risks.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights inadequate ICT risk management practices, contravening DORA's Article 5 requirements for a comprehensive risk management framework.

CISA ZTMM 2.0 – Supply Chain Risk Management

Control ID: 3.1

The compromise of Docker images points to weaknesses in supply chain risk management, as outlined in CISA's Zero Trust Maturity Model 2.0, section 3.1.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reflects a failure to implement appropriate cybersecurity risk management measures, violating NIS2 Directive Article 21.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Critical supply chain compromise targeting KICS Docker images and VS Code extensions directly impacts software development workflows, requiring enhanced container and extension security validation.

Computer/Network Security

Malicious Docker Hub repository takeover demonstrates sophisticated supply chain attacks against security tools, undermining trust in containerized security scanning and compliance validation solutions.

Information Technology/IT

Compromised development tools create enterprise-wide risks through tainted container images and IDE extensions, necessitating immediate inventory checks and enhanced egress security controls.

Financial Services

Supply chain attacks on development infrastructure threaten regulated environments requiring HIPAA and PCI compliance, potentially compromising encrypted traffic monitoring and data protection controls.

Sources

Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chainhttps://thehackernews.com/2026/04/malicious-kics-docker-images-and-vs.html
Verified

Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensionshttps://socket.dev/blog/checkmarx-supply-chain-compromise

Verified

Checkmarx Security Updatehttps://checkmarx.com/blog/checkmarx-security-update/

Verified

Frequently Asked Questions

The compromised versions included v2.1.20 and a fraudulent v2.1.21, which contained malicious modifications.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate sensitive data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to introduce unauthorized tags into the repository would likely be constrained, reducing the risk of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges by modifying binaries would likely be constrained, reducing the risk of unauthorized data collection.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally across development environments would likely be constrained, reducing the spread of malicious code.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command-and-control channels to external endpoints would likely be constrained, reducing the risk of data exfiltration.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data leakage.

Impact (Mitigations)

The overall impact of the attack would likely be constrained, reducing the exposure of sensitive information across organizations.

Impact at a Glance

Affected Business Functions

Infrastructure as Code (IaC) Security Scanning
Continuous Integration/Continuous Deployment (CI/CD) Pipelines
Software Development
DevOps Operations

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive configuration data, including credentials and secrets, from IaC files scanned using compromised KICS versions.

Recommended Actions

• Implement Zero Trust Segmentation to restrict unauthorized access and limit the spread of malicious code.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Deploy Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
• Regularly audit and monitor software supply chains to detect and mitigate potential compromises.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Checkmarx Supply Chain Breach: Malicious KICS Docker Images and VS Code Extensions Detected

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

User Execution: Malicious Image

Implant Internal Image

Build Image on Host

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Supply Chain Risk Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Computer/Network Security

Information Technology/IT

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads

Products

By Role

Customer Stories

Security & Legal

Solutions

Resources

Industry

Company

Tools