New Supply Chain Breach Affects Checkmarx’s KICS Analysis Tool

Cybersecurity Specialists Discover Sophisticated Supply Chain Attack Targeting KICS Analysis Tool

Cybersecurity specialists have identified a sophisticated supply chain attack targeting the Checkmarx KICS analysis tool, utilized by developers to identify security vulnerabilities in source code and configurations.

• The attackers compromised Docker images, Visual Studio Code (VSCode), and Open VSX extensions for KICS, enabling them to collect sensitive data from developer environments.
• KICS, short for Keeping Infrastructure as Code Secure, is a free, open-source scanner that examines source code, dependencies, and configuration files to detect potential security risks.
• The tool processes sensitive infrastructure configurations, frequently containing credentials, tokens, and internal architecture details.
• The compromised Docker image, VSCode, and Open VSX extensions targeted precisely the data processed by KICS, including:
• GitHub tokens
• Cloud (AWS, Azure, Google Cloud) credentials
• npm tokens
• SSH keys
• Environment variables

The compromised Docker image was hosted on the official checkmarx/kics Docker Hub repository, and the affected timeframe was from April 22, 2026, at 14:17:59 UTC to April 22, 2026, at 15:41:31 UTC.

Developers who pulled the compromised Docker image during this period are advised to take immediate action to secure their systems. The malicious Docker tags have been restored to their legitimate image digests, and the fake v2.1.21 tag has been deleted entirely.

• Users can update to the latest safe versions of the compromised projects, including:
• DockerHub KICS v2.1.20
• Checkmarx ast-github-action v2.3.36
• Checkmarx VS Code extensions v2.64.0
• Checkmarx Developer Assist extension v1.18.0

About Author

Vaibhav

See author's posts