{ "name": "Malicious Artifacts Found in Official KICS Docker Repository and Code Extensions", "slug": "malicious-artifacts-found-in-official-kics-docker-repository-and-code-extensions", "description": "Docker and Socket uncovered a supply chain compromise affecting Checkmarx KICS distribution channels. Attackers poisoned official Docker Hub images (tags v2.1.20, v2.1.21, alpine) and VS Code extensions (versions 1.17.0, 1.19.0), introducing unauthorized data exfiltration capabilities. The trojanized KICS binary collects and encrypts scan reports containing credentials from infrastructure-as-code files, transmitting them to external endpoints. Compromised VS Code extensions download mcpAddon.js via Bun runtime, harvesting GitHub tokens, AWS credentials, Azure tokens, npm configurations, and SSH keys. The malware creates public GitHub repositories for staging stolen data, injects malicious GitHub Actions workflows to capture repository secrets, and uses stolen npm credentials to identify writable packages for propagation. TeamPCP appears to claim responsibility for this multi-stage attack designed to steal developer credentials and propagate through CI/CD pipelines.", "published": "2026-04-22T22:57:45.610000+00:00", "created_at": "2026-04-27T14:33:22.304000+00:00", "modified_at": "2026-04-27T12:33:22+00:00", "created_at_opencti": "2026-04-27T14:33:22.304000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "canister worm", "checkmarx kics", "ci/cd compromise", "credential theft", "docker hub poisoning", "github actions", "mcpaddon.js", "npm propagation", "supply chain compromise", "vs code extension" ], "tags": [ "2026-04-22", "canister worm", "checkmarx kics", "ci/cd compromise", "credential-theft", "docker hub poisoning", "github actions", "mcpaddon.js", "npm propagation", "supply chain compromise", "vs code extension" ], "related_entities": { "indicators": [ { "id": "8b2c5116-f354-46b0-a217-726ceb3c227b", "name": "415610a42c5b51347709e315f5efb6fffa588b6ebc1b95b24abf28088347791b" }, { "id": "d765dc46-c638-4d09-ab07-dba2c9eb4254", "name": "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b" }, { "id": "9f608187-4a79-492f-b1ed-06bc83603ab8", "name": "https://audit.checkmarx.cx/v1/telemetry" }, { "id": "f9efa8c1-dad9-417f-83e8-8ab76834e0fb", "name": "2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50" }, { "id": "56764cf7-8468-48e3-9eeb-34db4118d2e0", "name": "a6871deb0480e1205c1daff10cedf4e60ad951605fd1a4efaca0a9c54d56d1cb" }, { "id": "5c20837c-8c0d-41cc-99ec-f200aa4f3832", "name": "a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0" }, { "id": "6e188e9a-1e9e-4280-a760-643926dd0067", "name": "7391b531a07fccbbeaf59a488e1376cfe5b27aef757430a36d6d3a087c610322" }, { "id": "b44b8b9e-3844-49ae-8f66-4e8ba08b624d", "name": "26e8e9c5e53c972997a278ca6e12708b8788b70575ca013fd30bfda34ab5f48f" }, { "id": "bb559900-c7be-4f53-b4d7-f205d5045a51", "name": "94.154.172.43" }, { "id": "2edc5421-3898-4b69-bdc7-56f2bc76ba98", "name": "ff7b0f114f87c67402dfc2459bb3d8954dd88e537b0e459482c04cffa26c1f07" }, { "id": "25b4d99e-b7f6-4215-9748-f2e720ad9ea7", "name": "audit.checkmarx.cx" }, { "id": "e5b82d98-6f47-42e1-8e6a-f0d94d8eaa7d", "name": "d186161ae8e33cd7702dd2a6c0337deb14e2b178542d232129c0da64b1af06e4" }, { "id": "d51e1372-514b-4ef5-b150-5288aa27e30a", "name": "2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d" }, { "id": "47033e84-cca8-4142-852b-181b1dfe7099", "name": "24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9" } ], "intrusion_sets": [ { "id": "5255c6ce-4692-4aea-b599-0e78a6c4c4aa", "name": "TeamPCP", "slug": "teampcp" } ], "attack_patterns": [ { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048", "name": "T1555.003" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9", "name": "T1552.001" }, { "id": "61188dce-ace8-48b2-bda2-c846b920485c", "name": "T1567.001" }, { "id": "5e7cb3d2-6a97-48b2-bdd2-f11eee10f6dc", "name": "T1137" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "96df92ce-da3e-4c6d-8250-cb250c9ed619", "name": "T1554" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e", "name": "T1567.002" }, { "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4", "name": "T1195.002" }, { "id": "0b534d7b-0850-41a7-9bc5-f2e6162eea42", "name": "T1195.001" }, { "id": "ee82762a-2958-4901-aade-341277d9b410", "name": "T1078.004" }, { "id": "436e795b-553f-444e-b837-65818d8f539f", "name": "T1119" }, { "id": "cce460e9-f310-41ac-9464-19c21fb0924e", "name": "T1136.003" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "a6b6df0a-93c1-4ddf-8403-2bc47590f9fe", "name": "T1087.001" }, { "id": "7c497590-4975-4cec-b8c6-e94966b6e9c3", "name": "T1087.004" }, { "id": "b5b8a750-44c3-455d-8b8c-a29ae078f148", "name": "T1098.001" } ], "malware": [ { "id": "c62be05a-585e-42fc-8b01-adc10f782123", "name": "Canister Worm", "slug": "canister-worm" }, { "id": "010552f3-0d12-4d27-a6ed-5556e3e53400", "name": "mcpAddon.js", "slug": "mcpaddonjs" } ], "observables": [ { "id": "e2586cc6-c542-4544-91d9-dffb169dad08", "name": "audit.checkmarx.cx" }, { "id": "0ad877e6-d08b-452d-a44b-8f6b3e3a23bf", "name": "94.154.172.43" }, { "id": "2be9afeb-d4f7-4940-99f1-6088caa738f1", "name": "https://audit.checkmarx.cx/v1/telemetry" }, { "id": "", "name": "415610a42c5b51347709e315f5efb6fffa588b6ebc1b95b24abf28088347791b" }, { "id": "", "name": "222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b" }, { "id": "", "name": "2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50" }, { "id": "", "name": "a6871deb0480e1205c1daff10cedf4e60ad951605fd1a4efaca0a9c54d56d1cb" }, { "id": "", "name": "a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0" }, { "id": "", "name": "7391b531a07fccbbeaf59a488e1376cfe5b27aef757430a36d6d3a087c610322" }, { "id": "", "name": "26e8e9c5e53c972997a278ca6e12708b8788b70575ca013fd30bfda34ab5f48f" }, { "id": "", "name": "ff7b0f114f87c67402dfc2459bb3d8954dd88e537b0e459482c04cffa26c1f07" }, { "id": "", "name": "d186161ae8e33cd7702dd2a6c0337deb14e2b178542d232129c0da64b1af06e4" }, { "id": "", "name": "2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d" }, { "id": "", "name": "24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9" } ], "others": [ { "id": "", "name": "Technology" }, { "id": "", "name": "audit.checkmarx.cx" } ] }, "external_refs": [ { "id": "d358b5d1-c7ec-49ca-800f-7a5a9022784f", "standard_id": "external-reference--c8ff17ab-eda4-539a-9c57-a7a704e63034", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://socket.dev/blog/checkmarx-supply-chain-compromise", "hash": null, "external_id": null, "created": "2026-04-27T14:33:22.098Z", "modified": "2026-04-27T14:33:22.098Z", "createdById": null }, { "id": "402925a7-e0f4-45b3-a615-87d7955d914e", "standard_id": "external-reference--cdbbaceb-8f15-5e74-8647-f08f0dcac540", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/69e9526908d4b6c7e9c97fed", "hash": null, "external_id": "69e9526908d4b6c7e9c97fed", "created": "2026-04-27T14:33:21.961Z", "modified": "2026-04-27T14:33:21.961Z", "createdById": null } ] }