Major Supply Chain Attack Uncovered: Malicious KICS Docker Images and VS Code Extensions Used to Steal Developer Credentials

CyberDefender 9 mins0

In a rapidly evolving cybersecurity incident, researchers uncovered a significant supply chain attack targeting Checkmarx’s KICS ecosystem. The breach highlights how modern development pipelines—especially those relying on container images and third-party tooling—can become high-value targets for sophisticated threat actors.

This blog breaks down the attack, its technical depth, and what organizations must learn from it.

How the Attack Was Discovered

The incident came to light when Docker flagged suspicious activity involving newly pushed images to the official checkmarx/kics repository. Internal monitoring detected anomalies in image tags, prompting further investigation.

Researchers found that attackers had:

  • Overwritten legitimate tags such as v2.1.20 and alpine
  • Introduced a fake v2.1.21 release not present upstream
  • Embedded malicious modifications inside the KICS binary

This was not a simple tampering event—it was a deliberate attempt to poison a trusted distribution channel.

What Made the Images Malicious?

The compromised KICS images contained a modified binary with hidden capabilities:

  • Collection of scan results (including sensitive infrastructure data)
  • Encryption of collected data
  • Exfiltration to external attacker-controlled endpoints

This is particularly dangerous because KICS scans Infrastructure-as-Code (IaC) files such as Terraform, Kubernetes, and CloudFormation—files that often contain secrets, credentials, or sensitive configurations.

Any organization using these poisoned images may have unknowingly leaked critical data.

Beyond Docker: A Multi-Channel Supply Chain Attack

The attack extended beyond Docker images into developer tooling, specifically VS Code extensions linked to Checkmarx.

Key Findings:

  • Malicious behavior introduced in versions 1.17.0 and 1.19.0
  • A hidden feature downloaded a file named mcpAddon.js
  • Code executed silently via the Bun runtime
  • Payload fetched from a hardcoded GitHub URL without verification

This indicates a coordinated attack across multiple distribution channels—not an isolated compromise.

The Payload: Credential Theft at Scale

The mcpAddon.js file acted as a powerful credential harvesting tool. Once executed, it collected:

  1. C:\\WINDOWS\\system32\\cmd.exe /d /s /c "gh auth token"
  2. C:\\WINDOWS\\system32\\cmd.exe /d /s /c "gcloud config config-helper --format json"
  3. C:\\WINDOWS\\system32\\cmd.exe /d /s /c "az account get-access-token --output json --resource <https://management.azure.com>"
  4. C:\\WINDOWS\\system32\\cmd.exe /d /s /c "azd auth token --output json --no-prompt --scope <https://management.azure.com/.default>"
  • GitHub tokens
  • AWS, Azure, and Google Cloud credentials
  • SSH keys and environment variables
  • npm configuration files
  • CI/CD secrets

The malware then:

  1. Compressed and encrypted the data
  2. Exfiltrated it to external servers
  3. Stored it in attacker-controlled GitHub repositories

This created multiple redundant exfiltration paths, increasing attacker resilience.

Advanced Techniques Used by Attackers

This campaign stands out due to its technical sophistication:

1. Git History Manipulation

Attackers inserted a backdated commit into a repository:

  • Appeared legitimate (dated 2022)
  • Contained a ~10MB malicious payload
  • Hidden outside active branch history

This allowed them to host malware in a trusted repository without raising suspicion.

2. Obfuscation Layers

The payload used:

  • Mangled variable names
  • Encoded string tables
  • Embedded gzip + base64 payloads
  • Multiple decoding routines

These techniques made static analysis extremely difficult.

3. GitHub Abuse for Data Exfiltration

The malware:

  • Created public repositories using stolen tokens
  • Stored encrypted payloads inside them
  • Embedded stolen tokens in commit messages

Repository names followed patterns like:

gesserit-melange-813
atreides-thumper-424
fedaykin-phibian-527

This subtle patterning helped automate large-scale operations while blending into normal activity.

4. CI/CD Worm Behavior

One of the most alarming aspects was automated propagation:

  • Identified repositories with GitHub Actions enabled
  • Injected malicious workflows
  • Extracted secrets using ${{ toJSON(secrets) }}
  • Uploaded secrets as artifacts
  • Cleaned traces afterward

This effectively turned compromised accounts into attack multipliers.

5. npm Ecosystem Propagation

Using stolen npm tokens, attackers:

  • Identified writable packages
  • Republished them with malicious payloads
  • Spread infection downstream

This demonstrates a full supply chain attack lifecycle—from initial compromise to ecosystem-wide propagation.

Immediate Mitigation Steps

Organizations should treat this as a critical credential exposure event:

Rotate All Credentials

  • GitHub tokens
  • Cloud provider credentials
  • npm tokens
  • SSH keys

Remove Compromised Components

  • Delete affected Docker images
  • Uninstall malicious VS Code extensions
  • Audit CI/CD pipelines

Investigate GitHub Activity

Look for:

  • Unknown repositories
  • Suspicious workflows
  • Artifact downloads
  • Unauthorized commits

Audit npm Packages

Check for:

  • Unexpected version changes
  • New maintainers
  • Malicious install scripts

Monitor Systems

Detect:

  • Unexpected Bun runtime usage
  • Access to sensitive config files
  • Outbound traffic to unknown endpoints

Long-Term Security Recommendations

  • Enforce least-privilege access for tokens
  • Use short-lived credentials wherever possible
  • Restrict package publishing permissions
  • Harden GitHub Actions security policies
  • Monitor repository and workflow changes continuously

Our Opinion on This Incident

This attack is a stark reminder that trust in open-source ecosystems must be continuously verified—not assumed. What makes this breach particularly concerning is not just the compromise itself, but the level of planning and precision involved. The attackers didn’t simply inject malware—they engineered a multi-layered operation designed to persist, spread, and evade detection across multiple platforms.

The use of legitimate infrastructure (Docker Hub, GitHub, npm) as both delivery and exfiltration channels shows a deep understanding of developer workflows. This is no longer about exploiting vulnerabilities; it’s about exploiting trust.

Another critical takeaway is how easily developer environments can become high-value targets. Tools like VS Code extensions and CI/CD pipelines often operate with elevated permissions, making them ideal entry points for attackers. Organizations must start treating developer tooling with the same scrutiny as production systems.

Finally, the industry must move toward stronger verification mechanisms—such as signed artifacts, reproducible builds, and runtime integrity checks. Reactive security is no longer sufficient.

This incident isn’t just a breach—it’s a blueprint for future supply chain attacks.

CyberDefender