Malicious Checkmarx KICS Docker Images & VS Code Extensions: Supply Chain Detection and Remediation

Introduction

A critical supply chain compromise has been identified targeting the popular infrastructure-as-code (IaC) scanning tool, KICS (Keeping Infrastructure as Code Secure) by Checkmarx. Security researchers at Socket have confirmed that unknown threat actors successfully infiltrated the official checkmarx/kics Docker Hub repository. This is not a case of typo-squatting; attackers gained the ability to overwrite legitimate image tags and introduce phantom releases.

The malicious activity involves the overwriting of existing tags—specifically v2.1.20 and alpine—and the introduction of a non-existent v2.1.21 tag. Concurrently, malicious VS Code extensions were published. For organizations utilizing KICS within CI/CD pipelines or local development environments, this represents a high-severity event. The immediate risk involves the execution of unauthorized code within privileged containers or developer workstations, potentially leading to credential theft, pipeline hijacking, or lateral movement.

Technical Analysis

Affected Products:
- checkmarx/kics Docker images.
- Checkmarx KICS VS Code Extensions.
Affected Versions/Tags:
- v2.1.20
- alpine
- v2.1.21 (Phantom release - never officially existed prior to compromise)
Attack Vector: Repository Hijack / Credential Compromise. Threat actors likely obtained access to the Docker Hub push tokens or the publishing automation account associated with the official Checkmarx organization. This allowed them to replace the manifest and layers for trusted tags with malicious ones.
Exploitation Status: Confirmed Active. The malicious images are currently hosted on the official Docker Hub repository. Users pulling these tags will inadvertently deploy the compromised artifact.
Mechanism: Upon execution (e.g., docker run checkmarx/kics:v2.1.20), the entrypoint script executes unauthorized payloads. In the context of the VS Code extension, the malicious code activates upon the extension loading, potentially exploiting the extension host process to execute commands or exfiltrate data.

Detection & Response

Defenders must act immediately to identify if these compromised artifacts have been pulled or executed within their environment. Below are detection mechanisms and a remediation script.

SIGMA Rules

The following Sigma rules detect the execution of the compromised Docker tags and suspicious process execution patterns associated with container breakout or unauthorized network activity often seen in compromised images.

YAML

---
title: Potential Execution of Compromised Checkmarx KICS Docker Image
id: 89a3b2c1-4d5e-6f78-a1b2-c3d4e5f67890
status: experimental
description: Detects the execution or pull of specific compromised Checkmarx KICS Docker image tags (v2.1.20, alpine, v2.1.21) identified in supply chain attacks.
references:
  - https://socket.dev/blog/checkmarx-supply-chain-vulnerability
author: Security Arsenal
date: 2026/04/14
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/docker'
    CommandLine|contains:
      - 'checkmarx/kics:v2.1.20'
      - 'checkmarx/kics:alpine'
      - 'checkmarx/kics:v2.1.21'
  condition: selection
falsepositives:
  - Legitimate administrative testing of specific image tags (verify necessity)
level: critical
---
title: Suspicious Outbound Connection from KICS Container Process
id: 12c3d4e5-6f78-90a1-b2c3-d4e5f67890ab
status: experimental
description: Detects network connections initiated by processes likely spawned from the compromised KICS image, assuming the container runs with a predictable process name or user context.
references:
  - https://socket.dev/blog/checkmarx-supply-chain-vulnerability
author: Security Arsenal
date: 2026/04/14
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    Image|endswith: '/kics'
    DestinationPort:
      - 443
      - 80
  filter:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.16.'
  condition: selection and not filter
falsepositives:
  - Legitimate KICS scans accessing public cloud APIs or repositories
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for Docker daemon logs indicating the pull or creation of the compromised containers, as well as process creation events on Linux hosts monitored by Defender for Endpoint.

KQL — Microsoft Sentinel / Defender

// Hunt for compromised Checkmarx KICS Docker images
// For Syslog/CEF ingestion of Docker Daemon logs
Syslog
| where ProcessName contains "dockerd"
| where SyslogMessage has "checkmarx/kics"
| where SyslogMessage has_any ("v2.1.20", "alpine", "v2.1.21")
| extend ImageTag = extract(@"checkmarx/kics:([\w\.]+)", 1, SyslogMessage)
| project TimeGenerated, HostName, ProcessName, SyslogMessage, ImageTag
| order by TimeGenerated desc
;
// For Defender for Endpoint (DeviceProcessEvents)
DeviceProcessEvents
| where InitiatingProcessFileName == "docker"
| where ProcessCommandLine has "checkmarx/kics"
| where ProcessCommandLine has_any ("v2.1.20", "alpine", "v2.1.21")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

Velociraptor VQL

This VQL artifact hunts for the presence of the compromised Docker images on the local disk and checks for the malicious VS Code extension in user directories.

VQL — Velociraptor

-- Hunt for compromised Checkmarx KICS Docker Image Configs and VS Code Extensions
SELECT 
  OSPath,
  Size,
  Mtime
FROM glob(globs="/*")
WHERE 
  OSPath =~ "checkmarx_kics" 
  AND OSPath =~ "v2.1.20"

UNION ALL

-- Hunt for VS Code extensions containing 'kics' or 'Checkmarx' in package.
SELECT 
  FullPath,
  Size,
  Mtime
FROM glob(globs="/home/*/.vscode/extensions/*/package.")
WHERE 
  read_file(filename=FullPath, length=1000) =~ "kics" 
  OR read_file(filename=FullPath, length=1000) =~ "Checkmarx"

Remediation Script (Bash)

WARNING: This script performs destructive actions (removing images and extensions). Review thoroughly before execution in production.

Bash / Shell

#!/bin/bash

# Remediation Script for Checkmarx KICS Supply Chain Compromise
# Addresses Malicious Docker Images and VS Code Extensions

echo "[*] Starting Remediation for Checkmarx KICS Supply Chain Incident..."

# 1. Identify and remove malicious Docker images
# Tags identified as compromised: v2.1.20, alpine, v2.1.21
MALICIOUS_TAGS=("v2.1.20" "alpine" "v2.1.21")
REPO="checkmarx/kics"

for tag in "${MALICIOUS_TAGS[@]}"; do
  FULL_IMAGE="${REPO}:${tag}"
  echo "[*] Checking for image: ${FULL_IMAGE}"
  
  # Check if image exists locally
  if docker images --format '{{.Repository}}:{{.Tag}}' | grep -q "^${FULL_IMAGE}$"; then
    echo "[!] FOUND malicious image: ${FULL_IMAGE}. Removing..."
    
    # Stop running containers using this image
    RUNNING_CONTAINERS=$(docker ps -q -f ancestor="${FULL_IMAGE}")
    if [ -n "$RUNNING_CONTAINERS" ]; then
      echo "[!] Stopping running containers: ${RUNNING_CONTAINERS}"
      docker stop $RUNNING_CONTAINERS
    fi
    
    # Remove the image
    docker rmi -f "${FULL_IMAGE}"
    echo "[+] Removal complete for ${FULL_IMAGE}"
  else
    echo "[+] Image ${FULL_IMAGE} not found on host."
  fi
done

# 2. Remediate VS Code Extensions
# Locate VS Code executable and uninstall Checkmarx/KICS extensions
# This assumes 'code' is in PATH. Adjust for 'code-insiders' or specific paths if needed.
if command -v code &> /dev/null; then
  echo "[*] Checking for malicious VS Code extensions..."
  
  # List extensions and grep for Checkmarx or kics
  # Note: Extension publisher/name usually matches publisher.extension-name format
  MALICIOUS_EXTS=$(code --list-extensions | grep -i 'checkmarx\|kics')
  
  if [ -n "$MALICIOUS_EXTS" ]; then
    echo "[!] Found potentially malicious extensions:"
    echo "$MALICIOUS_EXTS"
    
    echo "$MALICIOUS_EXTS" | while read -r ext; do
      echo "[*] Uninstalling extension: ${ext}"
      code --uninstall-extension "${ext}"
    done
    echo "[!] Please manually reinstall the extension from the official marketplace only after verifying the vendor's all-clear."
  else
    echo "[+] No matching extensions found."
  fi
else
  echo "[!] VS Code 'code' command not found in PATH. Skipping extension remediation."
fi

echo "[*] Remediation script completed."
echo "[!] ACTION REQUIRED: Rotate any credentials or tokens exposed in CI/CD pipelines utilizing these images."

Remediation

Immediate Image Removal: Immediately stop any running containers utilizing the checkmarx/kics:v2.1.20, checkmarx/kics:alpine, or checkmarx/kics:v2.1.21 tags. Delete these images from all local registries, Docker caches, and production environments using the remediation script provided above or manual docker rmi commands.
VS Code Extension Removal: Developers must uninstall the Checkmarx KICS extension immediately via the command palette (Ctrl+Shift+P -> Extensions: Uninstall Extension) or the provided script. Do not use the extension until the vendor confirms a clean version is published.
Pipeline Audits: Audit CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions, Azure DevOps) to ensure they are not pinning to the compromised tags. Update Dockerfile FROM instructions and pipeline scripts to point to a verified, clean version (e.g., a specific digest or a vetted version released after the incident resolution).
Secret Rotation: Assume that any secrets, API keys, or cloud credentials accessible to the compromised containers or extensions have been exfiltrated. Initiate credential rotation for all accounts that were accessible to the environment where the malicious image ran.
Vendor Verification: Monitor the official Checkmarx GitHub and Checkmarx Security Advisories for the official patched release. Once released, pull images using the --digest flag to ensure integrity: docker pull checkmarx/kics@sha256:...

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub