Supply Chain Alert: Malicious Checkmarx/KICS Docker Images Detected
Just caught the alert from Socket regarding the checkmarx/kics repository on Docker Hub. It looks like threat actors managed to overwrite legitimate tags (specifically v2.1.20 and alpine) and introduced a phantom v2.1.21 release that doesn't exist upstream.
This is exactly why relying on mutable tags is such a gamble. If you pulled these specific images recently, assume your environment is compromised. The attackers are effectively swapping the binaries under the version tag.
You should immediately audit your running containers. Here is a quick way to identify if you are running the affected image IDs:
docker images --digests | grep "checkmarx/kics"
# Cross-reference the digest with the official Checkmarx GH releases to verify integrity
Additionally, the report mentions malicious VS Code extensions pushing similar payloads. Ensure you are validating the Publisher ID (Checkmarx) strictly, as typosquatting is rampant here.
This highlights a major weakness in standard CI/CD pipelines that just docker pull without verification.
Discussion: Is Docker Content Trust (Notary V2) finally ready for prime time adoption, or are we all just crossing our fingers? How are you enforcing image integrity in your pipelines?
This is why we aggressively pin by digest in our Helm charts. Tags are for humans, machines need immutable hashes. If you're using imagePullPolicy: Always with mutable tags in prod, you're essentially rolling the dice every deployment.
We also run a Trivy scan on admission controller to block images that don't match the known SBOM signature. It saved us from a similar compromise a few months ago with a different repo.
Solid advice. From a SOC perspective, we're treating this as an IoC (Indicator of Compromise) event. We've updated our Sigma rules to flag any spawned processes from KICS images that aren't signed by the official key.
Also, don't forget to check your .docker/config.. Some of these malicious images attempt to exfiltrate registry credentials by scraping the config mount.
To validate the integrity of the images currently running in your cluster, you can compare the local digest against the official repository's manifest. If you pulled a compromised tag, the digest will differ from the expected upstream release.
A quick audit command is:
docker image inspect --format='{{index .RepoDigests 0}}' checkmarx/kics:v2.1.20
Compare that output with the official source. If they don't match, nuke the image and rotate any credentials used in that environment immediately.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access