GoKawiilHackers have compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments.
KICS, short for Keeping Infrastructure as Code Secure, is a free, open-source scanner that helps developers identify security vulnerabilities in source code, dependencies, and configuration files.
The tool is typically run locally via CLI or Docker, and processes sensitive infrastructure configs that often contain credentials, tokens, and internal architecture details.
Dependency security company Socket investigated the incident after receiving an alert from Docker about malicious images pushed to the official checkmarx/kics Docker Hub repository.
The investigation revealed that the compromise extended beyond the trojanized KICS Docker image to VS Code and Open VSX extensions that downloaded a hidden 'MCP addon' feature designed to fetch the secret-stealing malware.
Socket found that the 'MCP addon' feature downloaded from a hardcoded GitHub URL "a multi-stage credential theft and propagation component" as mcpAddon.js.
According to the researchers, the malware targets precisely the data processed by KICS, including GitHub tokens, cloud (AWS, Azure, Google Cloud) credentials, npm tokens, SSH keys, Claude configs, and environment variables.
It then encrypts it and exfiltrates it to audit.checkmarx[.]cx, a domain designed to impersonate legitimate Checkmarx infrastructure. Moreover, public GitHub repositories are automatically created for data exfiltration.
Automatically created GitHub repositories
Source: Socket
... continue reading