In the first half of 2026, the software supply chain faced two nearly identical attacks on Docker Hub—first targeting the popular vulnerability scanner Trivy, and then Checkmarx KICS. Both incidents followed the same playbook: stolen publisher credentials, legitimate publishing flows hijacked, and malicious images quietly pushed to unsuspecting users. While Docker's infrastructure remained secure, the ripple effects exposed credentials and configuration secrets across thousands of CI pipelines. This article breaks down the KICS attack, its implications, and the steps you need to take to safeguard your environment.
1. The KICS Attack: What Happened and When
On April 22, 2026, at 12:35 UTC, an attacker used valid Checkmarx publisher credentials to log into Docker Hub and push malicious images to the checkmarx/kics repository. They overwrote five existing tags with malicious digests (latest, v2.1.20, v2.1.20-debian, alpine, debian) and created two new tags (v2.1.21, v2.1.21-debian). The images were built from an attacker-controlled source repository, not from Checkmarx's own infrastructure. This allowed the malicious code to be inserted while preserving the legitimate scanning functionality.
2. How It Mirrors the Trivy Breach
Just weeks earlier, the Trivy repository on Docker Hub suffered an almost identical compromise. In both cases, the attacker stole publisher credentials (likely through phishing or credential reuse) and used them to push malware through normal CI/CD pipelines. Neither attack breached Docker's own systems. This pattern—credential theft followed by tag overwriting—represents a new class of supply chain threat that bypasses traditional image scanning and signature verification at the registry level.
3. The Attack Vector: Stolen Credentials, Not Infrastructure
The root cause in both incidents was not a vulnerability in Docker Hub or Checkmarx's code, but compromised authentication tokens for publisher accounts. These tokens had the necessary permissions to push new image manifests and tags. Once inside, the attacker could replace legitimate images with malicious ones without triggering alarms. This underscores the critical importance of securing publisher credentials—especially service tokens used in automation—with multi-factor authentication and strict rotation policies.
4. The Malicious Payload: Stealthy Data Exfiltration
The poisoned KICS binary kept the scanning functionality intact but added a quiet exfiltration path. After performing a scan, the malware collected the output—including any secrets, credentials, cloud resource names, and internal topology found in Terraform, CloudFormation, or Kubernetes configuration files—then encrypted it and sent it to attacker-controlled infrastructure at audit.checkmarx[.]cx using a User-Agent of KICS-Telemetry/2.0. This made the traffic appear like normal telemetry from legitimate KICS scans.
5. What Data Was Vulnerable
Because KICS is designed to scan infrastructure-as-code templates, its output routinely contains highly sensitive information. Attackers could extract database connection strings, API keys, cloud provider credentials, service principal secrets, and even network topology maps. Any repository that was scanned with the compromised KICS images during the exposure window likely leaked these credentials to the attacker. The scope of the breach is therefore broader than just the KICS image itself—it extends to every environment where those credentials were valid.
6. Affected Tags and Their Malicious Digests
If your CI/CD pipeline pulled any of the following tag-digest combinations between April 22, 12:35 UTC and the time of patch, treat them as compromised:
- alpine, v2.1.20, v2.1.21 → Index manifest digest:
sha256:2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d - debian, v2.1.20-debian, v2.1.21-debian → Index manifest digest:
sha256:222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b - latest → Index manifest digest:
sha256:a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0
7. Immediate Actions: Rotate Credentials and Purge Images
If your CI system ran KICS against any repository that contained credentials (e.g., in environment variables, mounted secrets, or scanned IaC files) during the exposure window, rotate all those credentials immediately. Do not assume any are safe. Additionally, re-pull the Checkmarx KICS image by digest (not by tag) from the official source, and pin your CI to that digest to prevent future silent overwrites. Purge all malicious digests from local caches, CI runners, and pull-through registries.
8. Long-Term Prevention: Pin by Digest, Not Tag
One of the most effective defenses against tag-based supply chain attacks is to always reference container images by their immutable digest (SHA256 hash), not by mutable tags like latest or version numbers. Tools like Docker Content Trust and Notary can also help, but they are often not enforced in CI pipelines. Educate your development teams to use digest references in all deployment manifests, and implement automated checks that reject tag-only references.
9. The Role of Open Collaboration in Incident Response
Both the Trivy and KICS incidents were resolved quickly thanks to rapid information sharing between Docker, the affected vendors, and the open-source community. Docker Hub’s transparency logs and image manifest immutability helped identify the malicious digests. Going forward, organizations should participate in threat intelligence sharing groups and maintain internal playbooks for supply chain compromises. The faster you can identify and communicate compromised artifacts, the less damage they can cause.
10. Key Takeaways for Your Security Posture
These attacks highlight that supply chain security is not just about scanning dependencies for vulnerabilities—it's about securing the entire pipeline from publisher credentials to image consumption. Invest in strong authentication for CI/CD accounts, monitor Docker Hub and other registries for unexpected tag changes, and adopt a zero-trust approach where every image pull is verified. The shape of supply chain attacks in 2026 is evolving, but with the right practices, defenders can stay ahead.
By understanding the KICS incident and its parallels with Trivy, you can harden your environment against similar threats. Remember: the attack pattern is clear—stolen credentials + legitimate publishing flow = silent compromise. Act now to close the gaps in your pipeline.