Checkmarx Supply Chain Attack: Malicious KICS Images and VS Code Extensions

The global developer community is currently grappling with the fallout of a highly sophisticated Checkmarx supply chain attack that has compromised the very tools designed to protect modern infrastructure. On April 22, 2026, security researchers identified a dual-pronged assault targeting the Keeping Infrastructure as Code Secure (KICS) ecosystem. By poisoning official Docker Hub repositories and trojanizing popular Visual Studio Code extensions, threat actors have turned a premier security scanner into a silent vacuum for sensitive architectural secrets.

This incident represents a significant escalation in the ongoing campaign against DevSecOps tooling. Infrastructure-as-Code (IaC) has become the blueprint of the modern enterprise, housing the “crown jewels” of cloud configurations, including network topologies, database connection strings, and identity management rules. By compromising KICS—an industry standard for scanning Terraform, Kubernetes, and CloudFormation files—the attackers have achieved a “god-view” of the target’s most vulnerable assets.

The Docker Hub Hijack: Poisoning the Source of Truth

The first stage of the Checkmarx supply chain attack targeted the official checkmarx/kics Docker Hub repository. In a brazen move, the threat actors managed to overwrite several legitimate, highly-trafficked image tags. This is a particularly insidious form of supply chain poisoning because many CI/CD pipelines are configured to automatically pull specific version tags or the latest image without verifying the underlying cryptographic hash (digest).

Compromised Tags and Versioning

According to technical analysis, the following tags were poisoned to point to a malicious multi-arch index manifest (sha256:2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d):

• v2.1.20 and v2.1.20-debian
• alpine and debian
• latest
• v2.1.21 (A fraudulent version introduced by the attackers)

The introduction of v2.1.21 was a masterstroke of social engineering. By releasing a version number slightly higher than the current stable release, the attackers ensured that automated dependency management tools like Renovate or Dependabot would flag the “update” and encourage developers to merge the malicious code into their main branches.

Anatomy of the Poisoned KICS Binary

Unlike traditional container compromises that deploy miners or reverse shells, the modified KICS binary remains fully functional. It continues to scan IaC files and report legitimate vulnerabilities, thereby avoiding detection from developers who might otherwise notice a broken build. However, beneath the surface, the binary has been re-engineered to fork a background process during execution. This hidden process generates an uncensored scan report—bypassing any local sanitization or exclusion rules—and exfiltrates it to an attacker-controlled endpoint: audit.checkmarx[.]cx/v1/telemetry.

The exfiltrated data typically includes:

• Hardcoded API Keys: Often found in Terraform provider blocks.
• Cloud Credentials: AWS Access Key IDs and Secret Access Keys embedded in environment files.
• Network Architecture: Detailed maps of VPCs, security groups, and internal IP ranges.
• Kubernetes Secrets: Service account tokens and base64-encoded configuration maps.

VS Code Extension Exploitation: The Model Context Protocol Masquerade

The campaign’s second front moved from the server-side environment to the developer’s local desktop. Attackers successfully compromised the Checkmarx Developer Assist (checkmarx/cx-dev-assist) and Checkmarx AST Results (checkmarx/ast-results) extensions on the Visual Studio Code Marketplace. The compromised versions—specifically versions 1.17.0 and 1.19.0 of Developer Assist—introduced a multi-stage malware delivery system.

The “MCP” Hook

The malware’s payload is delivered as a remote JavaScript file titled mcpAddon.js. In an effort to blend in with modern development trends, the filename references the Model Context Protocol (MCP), an open standard recently popularized for connecting AI models to local data sources. By masquerading as an “AI enhancement” feature, the malware avoids raising suspicion during routine traffic analysis.

Upon the activation of the extension, the malware leverages the Bun runtime—a high-performance JavaScript tool often present in modern frontend environments—to execute the mcpAddon.js payload. This script is designed to perform a comprehensive sweep of the developer’s local system, targeting specific directories for credential harvesting.

Targeted Assets in the IDE Attack

The mcpAddon.js payload is a highly efficient infostealer. It specifically targets:

1. GitHub Auth Tokens: Stored in ~/.config/gh/hosts.yml or within the VS Code internal credential store.
2. npm Configuration: Stealing .npmrc files containing authentication tokens for private package registries.
3. Cloud CLI Databases: Harvesting cached session tokens from .aws/credentials and gcloud configuration folders.
4. SSH Keys: Collecting private keys from the .ssh directory to enable lateral movement.

Worm-Like Propagation and the “TeamPCP” Connection

What differentiates this Checkmarx supply chain attack from standard credential theft is its self-propagating “worm” capability. Once the threat actors obtain a developer’s GitHub or npm token, they do not simply sell the data on the dark web. Instead, the malware uses these credentials to automate the next phase of the attack.

Malicious Workflow Injection

Using stolen GitHub tokens, the attackers inject a backdated commit into the victim’s own repositories. This commit adds a hidden GitHub Actions workflow (e.g., .github/workflows/verify-integrity.yml) that executes on every pull request. This workflow is designed to capture all environment secrets available to the CI/CD runner and upload them as a hidden artifact or POST them to the checkmarx[.]zone domain.

npm Registry Poisoning

Similarly, stolen npm tokens are used to identify packages where the victim has “maintainer” or “owner” permissions. The malware then automatically bumps the version of these packages and republishes them with a malicious preinstall script. This effectively turns every compromised developer into an unwitting distribution point for the malware, creating an exponential growth curve for the infection.

Attribution: Who is TeamPCP?

Evidence points toward a threat actor group known as TeamPCP. This group has been linked to several high-profile security tool compromises in early 2026, including the attacks on Trivy and LiteLLM. TeamPCP’s methodology is characterized by their deep understanding of developer workflows and their ability to tamper with Git history—using backdated commits (such as commit 68ed490b) to make malicious changes appear as if they have been part of a repository for years.

Critical Remediation Steps for DevSecOps Teams

Given the scale of the Checkmarx supply chain attack, organizations must move beyond simple updates and conduct a thorough audit of their entire software supply chain. The following steps are mandatory for any team utilizing the KICS ecosystem or Checkmarx extensions:

1. Container Image Verification

Immediately cease using mutable tags like latest or v2.1.20. Security teams should audit their CI/CD logs for any pulls of checkmarx/kics between April 20 and April 22, 2026. Pin your images to known-good SHA256 digests.

• Verified Legitimate KICS v2.1.20 (Linux/amd64): sha256:d8c... (Verify via Checkmarx official portal)
• Action: Delete the local v2.1.21 image and purge any registry mirrors.

2. Extension Audit and Rollback

Developers must check their installed VS Code extensions. If you are running checkmarx/cx-dev-assist at version 1.17.0 or 1.19.0, or checkmarx/ast-results at 2.63.0 or 2.66.0, you must assume your local credentials have been exfiltrated.

• Uninstall: Remove the affected extensions immediately.
• Wipe: Clear the VS Code extension cache directory.
• Reinstall: Install the verified 1.18.0 or the newly released patched versions (verify the publisher).

3. Global Credential Rotation

Because the malware specifically targets authentication tokens, password changes are insufficient. Organizations must perform a “kill-switch” rotation of:

1. GitHub Personal Access Tokens (PATs) and OAuth tokens.
2. npm automation and publish tokens.
3. Cloud provider access keys (AWS, Azure, GCP).
4. SSH keys used for repository access.

Building Resilience Against the Next Wave

The Checkmarx supply chain attack is a stark reminder that the tools we use to secure our code are themselves prime targets. To prevent future incidents of this nature, the industry must transition toward a Zero Trust Architecture for Pipelines. This includes implementing mandatory Software Bill of Materials (SBOM) verification for every container used in a build and enforcing strict network egress filtering for CI/CD runners.

Furthermore, the abuse of the Model Context Protocol (MCP) as a mask for malware highlights the need for better scrutiny of “AI-enhanced” features in developer tools. As AI becomes more integrated into our IDEs, the surface area for social engineering and technical masquerading will only continue to grow. Security teams must remain vigilant, treating every “update” and every “new feature” as a potential vector for compromise until proven otherwise.

Immediate Action Required: If your organization has utilized KICS for IaC scanning within the last 72 hours, treat all scanned secrets as compromised. Initiate your incident response protocol and prioritize the rotation of production environment keys immediately.