Checkmarx Supply Chain Hit: Poisoned KICS Docker Images and VS Code Extensions

Attackers published malicious artifacts masquerading as Checkmarx’s KICS infrastructure-as-code scanner, seeding both Docker registries and the VS Code Marketplace with trojanized look-alikes. The campaign targets the developer tooling layer directly, where a single pull or install executes code inside CI pipelines and engineer workstations with broad access to source, secrets, and build infrastructure.

The choice of vehicle matters. KICS is a security scanner, so the images and extensions land in exactly the pipelines meant to catch malicious code, inverting the trust relationship. Docker Hub and the VS Code Marketplace remain weak distribution points because naming is effectively first-come, typo-squatting is trivial, and there is no binding between a publisher identity and the upstream project it claims to represent.

The structural lesson is that security-adjacent tooling is now a preferred supply chain target, and scanner containers in particular deserve the same provenance controls teams demand for production images — pinned digests, signed builds via Sigstore or equivalent, and publisher verification at install time rather than after an incident.