"The dangerous timeframe for the DockerHub KICS image was from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC."
The window: DockerHub KICS image manipulation on 2026-04-22
On 2026-04-22, a short but consequential window opened in which the official checkmarx/kics Docker Hub repository contained a trojanized image. Docker tags were temporarily repointed to a malicious digest between 14:17:59 UTC and 15:41:31 UTC; affected tags have since been restored to legitimate image digests and the fake v2.1.21 tag was deleted. The dependency security firm Socket began investigating after receiving an alert from Docker about malicious images pushed to that repository.
How attackers delivered the 'MCP addon' via Docker images and extensions
Socket's review found the compromise extended beyond a single Docker image. VS Code and Open VSX extensions for Checkmarx's KICS analysis tool were also trojanized. Those extensions contained a hidden feature the researchers call the 'MCP addon.' Socket reports that the addon was downloaded from a hardcoded GitHub URL as mcpAddon.js and that the file is "a multi-stage credential theft and propagation component."
KICS (Keeping Infrastructure as Code Secure) is a free, open-source scanner commonly run locally via CLI or Docker. Because it processes infrastructure-as-code files and related configurations, the tool routinely inspects data that can include credentials, tokens and internal architecture details—exactly the kinds of artifacts the malware was designed to harvest.
Data targeted and exfiltration to audit.checkmarx[.]cx
According to Socket, the malware specifically seeks the types of secrets KICS processes: GitHub tokens, cloud credentials for AWS, Azure and Google Cloud, npm tokens, SSH keys, Claude configs, and environment variables. The captured data is encrypted and exfiltrated to a domain designed to impersonate legitimate Checkmarx infrastructure: audit.checkmarx[.]cx. Socket also reports that the malware automatically creates public GitHub repositories as an additional channel for exfiltration.
Response: Socket investigation and Checkmarx bulletin
Socket publicly disclosed its findings after the Docker alert. BleepingComputer reached out to Checkmarx for comment; a response was not immediately available. Separately, Checkmarx published a security bulletin saying all malicious artifacts have been removed, and that exposed credentials were revoked and rotated. The company said it is investigating with external experts and will provide more information as it becomes available.
What this means for developers, security teams, and Checkmarx
- Developers: Socket and Checkmarx recommend that anyone who downloaded the affected artifacts consider their secrets compromised, rotate them as soon as possible, and rebuild environments from a known safe point.
- Security teams and responders: The advisory lists concrete mitigation steps—block access to checkmarx.cx => 91[.]195[.]240[.]123 and audit.checkmarx.cx => 94[.]154[.]172[.]43; use pinned SHAs for Docker images; and revert to known safe versions where applicable.
- Checkmarx: The company has removed the malicious artifacts, revoked and rotated exposed credentials, and engaged external experts for investigation; it has promised further updates.
Versions to revert to and attribution status
The bulletin and reporting identify the latest safe versions for affected projects: DockerHub KICS v2.1.20; Checkmarx ast-github-action v2.3.36; Checkmarx VS Code extensions v2.64.0; and Checkmarx Developer Assist extension v1.18.0. The TeamPCP hackers publicly claimed the attack—TeamPCP were previously tied in reporting to other supply-chain compromises—but Socket's researchers say they could not find sufficient evidence beyond pattern-based correlations to confidently attribute this incident to that group.
The record is concrete on several points: a brief repointing of Docker tags introduced a malicious KICS image; complementary VS Code and Open VSX extensions downloaded an 'MCP addon' from a hardcoded GitHub URL that loaded mcpAddon.js; that component was described by Socket as "a multi-stage credential theft and propagation component"; and exfiltration flowed to audit.checkmarx[.]cx with created GitHub repositories used automatically. For teams that rely on KICS, the practical next steps are likewise direct: assume compromise if the tool was pulled during the window, rotate secrets, block the listed domains and IPs, and move to the identified safe versions.
