Cybersecurity researchers have warned about malicious images being pushed to the official “checkmarx/kics” Docker Hub repository.
Socket, a software supply chain security company, revealed in an alert published today that an unknown attacker was able to successfully overwrite existing tags, including v2.1.20 and alpine, while simultaneously introducing a new v2.1.21 tag that does not correspond to a public release. The Docker repository is archived at the time of writing.
“Analysis of the tainted images showed that the bundled KICS binaries had been modified to include data collection and extraction functionality that was not present in the canonical version,” Socket said.
“This malware can generate uncensored scan reports and send them encrypted to external endpoints, potentially posing a serious risk to teams using KICS to scan infrastructure files as code that may contain credentials and other sensitive configuration data.”
Further analysis of this incident revealed that related Checkmarx developer tools may also have been affected, including a recent Microsoft Visual Studio Code extension release that came with malicious code that downloaded and executed remote add-ons through the Bun runtime.
“This behavior occurred in versions 1.17.0 and 1.19.0 and was removed in 1.18.0. It relied on hard-coded GitHub URLs to retrieve and execute additional JavaScript without user verification or integrity validation,” Socket added.
Organizations that may have scanned their Terraform, CloudFormation, or Kubernetes configurations using affected KICS images should treat any secrets or credentials exposed in those scans as potentially compromised.
“Evidence suggests this is not an isolated Docker Hub incident, but rather part of a broader supply chain breach affecting multiple Checkmarx distribution channels,” the company noted.
Hacker News has reached out to Checkmarx for more information. I will update the article if I receive a response.
(This is a developing story. Check back for more details.)
Source link
