Checkmarx KICS Supply Chain Compromise: Detection and Incident Response Guide

A critical supply-chain breach has been confirmed affecting the Checkmarx KICS (Keeping Infrastructure as Code Secure) analysis tool. Attackers successfully compromised the maintainer's environment, injecting malicious code into official Docker images and VSCode extensions distributed via the Docker Hub and the VSCode Marketplace.

The objective of this campaign is the theft of sensitive credentials—specifically cloud access keys and API tokens—from developer environments. For organizations utilizing KICS within CI/CD pipelines or local development setups, this is not merely a software vulnerability; it is an active identity theft scenario. Defenders must immediately assume that any credentials present in environments where the compromised tool ran are potentially compromised.

Technical Analysis

Affected Products and Platforms

Product: Checkmarx KICS (Keeping Infrastructure as Code Secure)
Affected Artifacts:
- Docker Images: checkmarx/kics (specific versions pulled during the compromise window).
- IDE Extensions: checkmarx.kics for VSCode and Open VSX registry.
Platform: Windows, Linux, macOS (via VSCode/Docker).

Attack Chain and Mechanism

The attackers leveraged a classic supply-chain attack vector:

Initial Compromise: The attacker gained access to the maintainer's publishing token (likely Docker Hub and VSCode Marketplace credentials).
Artifact Tampering:
- Docker: Malicious images were pushed to Docker Hub containing a modified entrypoint script designed to scan the environment for environment variables (e.g., AWS_ACCESS_KEY_ID, GITHUB_TOKEN) and exfiltrate them to a command-and-control (C2) server.
- VSCode: The extension package was updated to include a post-install script or background service that monitors for credential files and .env files, exfiltrating contents upon detection.
Exfiltration: Sensitive data is transmitted via HTTP/HTTPS to attacker-controlled infrastructure.

Exploitation Status

Status: Confirmed Active Exploitation.
Context: The malicious packages were live and available for download for a specific window before being identified and removed. Any CI/CD job or developer workstation that pulled or updated the tool during this window was automatically compromised upon execution.

Detection & Response

SIGMA Rules

The following Sigma rules detect the execution of the compromised Docker container and suspicious process spawning by the VSCode host process, which indicates a potential malicious extension execution.

YAML

---
title: Potential Compromised Checkmarx KICS Docker Container Execution
id: 8a2b1c9d-4e3f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects the execution of the checkmarx/kics Docker image, which may be compromised depending on the pull timestamp. Correlate with image pull times.
references:
  - https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
author: Security Arsenal
date: 2025/01/21
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: container
  product: linux
detection:
  selection:
    ImageName|contains: 'checkmarx/kics'
  condition: selection
falsepositives:
  - Legitimate use of KICS for scanning IaC (verify image integrity)
level: high
---
title: VSCode Host Process Spawning Shell - Potential Extension Malware
id: 9b3c2d0e-5f4a-4b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Detects VSCode (Code.exe) spawning cmd, powershell, or bash. Legitimate extensions rarely spawn shells, a common TTP for malicious IDE plugins like the KICS compromise.
references:
  - https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
author: Security Arsenal
date: 2025/01/21
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\Code.exe'
      - '\Code - Insiders.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Developers using the integrated terminal manually (rarely spawns directly from Code.exe without user interaction)
level: high
---
title: VSCode Network Connection to Non-Microsoft Domain
id: 0c4d3e1f-6a5b-5c7d-0e2f-1a3b4c5d6e7f
status: experimental
description: Detects the VSCode main process initiating network connections to domains other than known Microsoft update/marketplace endpoints. Potential C2 beaconing from compromised extension.
references:
  - https://www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
author: Security Arsenal
date: 2025/01/21
tags:
  - attack.exfiltration
  - attack.t1041
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\Code.exe'
    Initiated: 'true'
  filter_legit:
    DestinationHostname|contains:
      - '.microsoft.com'
      - '.msftncsi.com'
      - '.visualstudio.com'
      - '.vsassets.io'
      - '.github.com'
  condition: selection and not filter_legit
falsepositives:
  - Extensions connecting to legitimate 3rd party APIs (e.g., Jira, Slack)
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for network connections initiated by the VSCode host process to external domains, excluding known Microsoft infrastructure, and identifies the execution of the KICS Docker container.

KQL — Microsoft Sentinel / Defender

// Hunt for VSCode exfiltration or C2 activity
let VSCodeProcess = DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName =~ "Code.exe" or ProcessVersionInfoCompanyName =~ "Microsoft Corporation"
| where InitiatingProcessFileName =~ "Code.exe";

let NetworkExfil = DeviceNetworkEvents
| where InitiatingProcessFileName =~ "Code.exe"
| where RemoteUrl !contains "microsoft.com" 
  and RemoteUrl !contains "vsassets.io" 
  and RemoteUrl !contains "visualstudio.com"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort;

// Hunt for Docker execution of KICS
let DockerKICS = DeviceProcessEvents
| where FileName =~ "docker.exe" or FileName =~ "dockerd"
| where ProcessCommandLine contains "checkmarx/kics"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine;

union VSCodeProcess, NetworkExfil, DockerKICS

Velociraptor VQL

This VQL artifact hunts for the presence of the specific VSCode extension ID (checkmarx.kics) and lists running Docker containers to identify active KICS instances.

VQL — Velociraptor

-- Hunt for Checkmarx KICS Extension and Docker Containers
SELECT 
  OSPath,
  Mtime
FROM glob(globs="/*/.vscode/extensions/checkmarx.kics/**")
WHERE Mtime > timestamp("2024-12-01") -- Adjust based on breach window

SELECT 
  ContainerId,
  ContainerName,
  Image,
  Command
FROM containers()
WHERE Image =~ "checkmarx/kics"

Remediation Script

This PowerShell script checks for the presence of the compromised VSCode extension on Windows workstations and provides instructions for verifying Docker images.

PowerShell

# Checkmarx KICS Supply Chain Remediation Script
# Action: Detects VSCode extension and checks for Docker images

Write-Host "[+] Starting Checkmarx KICS Supply Chain Check..." -ForegroundColor Cyan

# 1. Check for VSCode Extension
$ExtensionPath = "$env:USERPROFILE\.vscode\extensions\checkmarx.kics"
if (Test-Path $ExtensionPath) {
    Write-Host "[!] ALERT: Checkmarx KICS extension found at $ExtensionPath" -ForegroundColor Red
    Write-Host "    Action: Uninstall immediately via VSCode UI or delete this directory." -ForegroundColor Yellow
    $extInfo = Get-Item $ExtensionPath | Select-Object Name, LastWriteTime
    Write-Host "    Details: $($extInfo.Name) - Last Modified: $($extInfo.LastWriteTime)"
} else {
    Write-Host "[+] No Checkmarx KICS extension found in user profile." -ForegroundColor Green
}

# 2. Check Docker Images (Requires Docker CLI)
$DockerCheck = Get-Command docker -ErrorAction SilentlyContinue
if ($DockerCheck) {
    Write-Host "[+] Docker detected. Scanning for checkmarx/kics images..." -ForegroundColor Cyan
    $images = docker images --format "{{.Repository}}:{{.Tag}}" | Select-String "checkmarx/kics"
    if ($images) {
        Write-Host "[!] ALERT: Compromised Docker images found:" -ForegroundColor Red
        $images | ForEach-Object { Write-Host "    - $_" }
        Write-Host "    Action: Run 'docker rmi -f $(docker images checkmarx/kics -q)' to remove." -ForegroundColor Yellow
    } else {
        Write-Host "[+] No checkmarx/kics images found locally." -ForegroundColor Green
    }
} else {
    Write-Host "[-] Docker CLI not found. Skipping container check." -ForegroundColor Gray
}

Write-Host "[+] REMEDIATION ADVICE: Rotate all cloud credentials (AWS, GCP, Azure) if extension was present." -ForegroundColor Magenta

Remediation

Immediate action is required to secure the environment and prevent further data loss.

Identify and Isolate:
- VSCode: Developers must immediately uninstall the checkmarx.kics extension.
- Docker: Identify all containers running the checkmarx/kics image. Stop and remove these containers immediately. Delete the compromised images locally using docker rmi.
Credential Rotation (CRITICAL):
- Assume all credentials (AWS Access Keys, Azure Service Principals, GitHub Tokens, API Keys) stored in environment variables or .env files accessible to the compromised tool are leaked.
- Rotate these credentials immediately. This is the most important step; patching the tool does not revoke access for the attacker who already has the keys.
Update and Verify:
- Once the vendor confirms the registry is clean (check the official Checkmarx advisory), pull the latest verified image.
- Reinstall the VSCode extension only after verifying the version matches the patched release provided by Checkmarx.
Audit Logs:
- Review CloudTrail (AWS), Azure Monitor, and GitHub Audit Logs for anomalous API usage originating from the timeframe the tool was active.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub