Cybersecurity experts have issued a warning about malicious images uploaded to the ‘checkmarx/kics’ repository on Docker Hub. This alert, shared by software supply chain security firm Socket, highlights that unknown attackers have overwritten existing tags such as v2.1.20 and alpine, and introduced a suspicious tag v2.1.21, which is not part of any official release. The compromised repository has been archived.
Disguised Malicious Features
The altered Docker images contained a modified KICS binary capable of collecting and exfiltrating data, functionalities absent in official versions. The malware could generate unfiltered scan reports, encrypt them, and transmit the data to an external location. This poses a significant threat to teams using KICS for scanning infrastructure-as-code files, which might include sensitive information like credentials.
Further examination revealed that Checkmarx’s developer tools, such as Microsoft Visual Studio Code extensions, were also impacted. The malicious code within these extensions, present in versions 1.17.0 and 1.19.0 but removed in 1.18.0, could download and execute a remote addon via Bun runtime using a hardcoded GitHub URL, bypassing user consent and integrity checks.
Potential Impact and Recommendations
Organizations that utilized the compromised KICS images for scanning configurations in Terraform, CloudFormation, or Kubernetes should assume that any exposed secrets or credentials are compromised. The incident is not limited to Docker Hub alone but is part of a larger supply chain attack affecting multiple distribution channels of Checkmarx, as stated by Socket.
The Hacker News has reached out to Checkmarx for further comments and will provide updates as more information becomes available. This developing story emphasizes the importance of vigilance in software supply chain security and the need for immediate action from affected organizations.
Looking Ahead and Mitigation
This incident underscores the critical need for continuous monitoring and validation of software supply chains. Organizations are advised to review their security protocols and ensure that all components are obtained from trusted sources. Regular updates and patches are essential to protect against such vulnerabilities.
As this situation evolves, cybersecurity firms and affected companies must collaborate to mitigate risks and strengthen the integrity of their software ecosystems. Stay tuned for further updates as this story develops.
