← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions
WHITE TeamPCP AlienVault 2026-04-22 Modified: 2026-04-23
20
IOCs
MEDIUM VOLUME
Docker and Socket uncovered a supply chain compromise affecting Checkmarx KICS distribution channels. Attackers poisoned official Docker Hub images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions (versions 1.17.0, 1.19.0), introducing unauthorized data exfiltration capabilities. The trojanized KICS binary collects and encrypts scan reports containing credentials from infrastructure-as-code files, transmitting them to external endpoints. Compromised VS Code extensions download mcpAddon.js via Bun runtime, harvesting GitHub tokens, AWS credentials, Azure tokens, npm configurations, and SSH keys. The malware creates public GitHub repositories for staging stolen data, injects malicious GitHub Actions workflows to capture repository secrets, and uses stolen npm credentials to identify writable packages for propagation. TeamPCP appears to claim responsibility for this multi-stage attack designed to steal developer credentials and propagate through CI/CD pipelines.
docker hub poisoninggithub actionsmcpaddon.jscredential theftnpm propagationci/cd compromisecanister wormcheckmarx kicsvs code extensionsupply chain compromise
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
mcpAddon.js Canister Worm
Indicators of Compromise (20)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 d47de3772f2d61a043e7047431ef4cf4 2026-04-22
FileHash-MD5 e1023db24a29ab0229d99764e2c8deba 2026-04-22
FileHash-SHA1 250f3633529457477a9f8fd3db3472e94383606a 2026-04-22
FileHash-SHA1 2b12cc5cc91ec483048abcbd6d523cdc9ebae3f3 2026-04-22
FileHash-SHA1 bbbca2ddaa5d8feaa63e36b76fdaad77386f024f 2026-04-22
FileHash-SHA1 de0fac2e4500dabe0009e67214ff5f5447ce83dd 2026-04-22
FileHash-SHA256 222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b 2026-04-22
FileHash-SHA256 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 2026-04-22
FileHash-SHA256 2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d 2026-04-22
FileHash-SHA256 26e8e9c5e53c972997a278ca6e12708b8788b70575ca013fd30bfda34ab5f48f 2026-04-22
FileHash-SHA256 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50 2026-04-22
FileHash-SHA256 415610a42c5b51347709e315f5efb6fffa588b6ebc1b95b24abf28088347791b 2026-04-22
FileHash-SHA256 7391b531a07fccbbeaf59a488e1376cfe5b27aef757430a36d6d3a087c610322 2026-04-22
FileHash-SHA256 a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0 2026-04-22
FileHash-SHA256 a6871deb0480e1205c1daff10cedf4e60ad951605fd1a4efaca0a9c54d56d1cb 2026-04-22
FileHash-SHA256 d186161ae8e33cd7702dd2a6c0337deb14e2b178542d232129c0da64b1af06e4 2026-04-22
FileHash-SHA256 ff7b0f114f87c67402dfc2459bb3d8954dd88e537b0e459482c04cffa26c1f07 2026-04-22
IPv4 94.154.172.43 2026-04-22
URL https://audit.checkmarx.cx/v1/telemetry 2026-04-22
hostname audit.checkmarx.cx 2026-04-22
References (1)
↗ https://socket.dev/blog/checkmarx-supply-chain-compromise