Skip to content
.ca
sign in
7 mincritical

Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions

A sophisticated supply chain attack compromised official Checkmarx KICS Docker images and VS Code extensions, injecting malware designed to harvest and exfiltrate cloud, developer, and CI/CD credentials. The threat actor, believed to be TeamPCP, utilized the Bun runtime to execute the payload, subsequently abusing stolen GitHub and NPM tokens to propagate the infection through malicious GitHub Actions workflows and poisoned NPM packages.

Sens:ImmediateConf:highAnalyzed:2026-04-23reports

Authors: Socket

ActorsTeamPCP
CheckmarxSupply Chain AttackDockerCredential TheftTeamPCP

Source:Socket

IOCs · 4

Key Takeaways

  • Official Checkmarx KICS Docker images and VS Code extensions were compromised to include credential-stealing malware.
  • The malware, mcpAddon.js, is executed via the Bun runtime and targets GitHub, AWS, Azure, GCP, and NPM credentials.
  • Stolen GitHub tokens are used to inject malicious GitHub Actions workflows (format-check.yml) to exfiltrate repository secrets.
  • The threat actor uses stolen NPM credentials to republish packages with the malicious payload for lateral spread.
  • Exfiltrated data is staged in public GitHub repositories using Dune-themed naming conventions and a specific JSON structure.

Affected Systems

  • Docker environments using Checkmarx KICS images (v2.1.20, v2.1.21, alpine, debian, latest)
  • VS Code environments using Checkmarx extensions (cx-dev-assist v1.17.0, v1.19.0; ast-results v2.63.0, v2.66.0)
  • Windows and Unix-based developer systems

Attack Chain

The attack begins with the execution of compromised Checkmarx VS Code extensions or Docker images, which silently download and execute a malicious payload (mcpAddon.js) via the Bun runtime. This payload enumerates and steals various developer and cloud credentials, exfiltrating them to an external server (audit.checkmarx.cx). The malware then uses stolen GitHub tokens to inject malicious GitHub Actions workflows (format-check.yml) into accessible repositories, capturing secrets as artifacts. Finally, it leverages stolen NPM credentials to republish packages with the malicious payload, facilitating lateral movement and further supply chain propagation.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but offers behavioral indicators, file hashes, and network IOCs for hunting.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily monitor process executions (e.g., cmd.exe spawning gh, gcloud, az commands) and file writes (e.g., ~/.checkmarx/mcp/mcpAddon.js). Network Visibility: Medium — Network traffic to the C2 domain (audit.checkmarx.cx) can be detected, but exfiltration via GitHub API uses legitimate infrastructure, making it harder to distinguish from normal developer activity. Detection Difficulty: Moderate — While the initial payload execution and credential enumeration commands are noisy and easily detectable, the subsequent propagation via GitHub Actions and NPM relies on stolen credentials and legitimate APIs, which blends in with normal developer workflows.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • File Creation (Sysmon Event ID 11)
  • DNS Queries (Sysmon Event ID 22)
  • Network Connections (Sysmon Event ID 3)
  • GitHub Audit Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected execution of the Bun runtime, especially originating from VS Code extension directories or writing to ~/.checkmarx/mcp/.Process Creation, File CreationExecutionLow
Identify rapid, sequential execution of credential enumeration commands (gh auth token, gcloud config, az account) by the same parent process.Process CreationCredential AccessMedium
Monitor for the creation of new GitHub Actions workflows named format-check.yml, particularly on transient branches.GitHub Audit LogsLateral MovementLow
Search for outbound network connections to audit.checkmarx.cx from developer endpoints or CI/CD runners.Network Connections, DNS QueriesCommand and ControlLow

Control Gaps

  • Lack of strict egress filtering on CI/CD runners
  • Over-permissive GitHub Actions token scopes
  • Missing integrity checks for remote code execution in VS Code extensions

Key Behavioral Indicators

  • Execution of mcpAddon.js via Bun
  • Creation of format-check.yml in .github/workflows/
  • Artifacts named format-results.txt
  • GitHub repositories with Dune-themed names (e.g., gesserit-melange-813) and 'Checkmarx Configuration Storage' descriptions

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Remove affected Checkmarx VS Code extensions (cx-dev-assist, ast-results) and KICS Docker images.
  • Rotate all potentially exposed credentials (GitHub tokens, NPM tokens, AWS/Azure/GCP credentials, SSH keys).
  • Delete any unauthorized GitHub Actions workflows (e.g., format-check.yml) and associated transient branches.

Infrastructure Hardening

  • Implement strict egress filtering on CI/CD runners to block unauthorized external connections.
  • Enforce the principle of least privilege for GitHub Actions tokens, restricting scopes to only what is necessary.
  • Require short-lived credentials and disable unnecessary artifact access in CI/CD pipelines.

User Protection

  • Monitor developer endpoints for unauthorized access to credential stores (.npmrc, .git-credentials, .env).
  • Deploy EDR rules to detect rapid, automated execution of cloud CLI credential enumeration commands.

Security Awareness

  • Educate developers on the risks of supply chain attacks and the importance of verifying the integrity of extensions and container images.
  • Establish a process for monitoring and reviewing new public repositories or workflow changes created outside normal release cycles.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell
  • T1528 - Steal Application Access Token
  • T1552.001 - Unsecured Credentials: Credentials In Files
  • T1552.004 - Unsecured Credentials: Private Keys
  • T1074.001 - Data Staged: Local Data Staging
  • T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Additional IOCs

  • Ips:
    • 94[.]154[.]172[.]43 - Network indicator associated with the compromise
  • Domains:
    • audit[.]checkmarx[.]cx - Malicious C2 and exfiltration domain
  • Urls:
    • hxxps://audit[.]checkmarx[.]cx/v1/telemetry - Exfiltration endpoint for stolen credentials
    • raw.githubusercontent.com/.../68ed490b/... - Hardcoded GitHub URL hosting the mcpAddon.js payload (partial URL provided in text)
  • File Hashes:
    • d47de3772f2d61a043e7047431ef4cf4 (MD5) - mcpAddon.js
    • 2b12cc5cc91ec483048abcbd6d523cdc9ebae3f3 (SHA1) - mcpAddon.js
    • e1023db24a29ab0229d99764e2c8deba (MD5) - kics ELF executable
    • 250f3633529457477a9f8fd3db3472e94383606a (SHA1) - kics ELF executable
    • 2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d (SHA256) - Index manifest digest for alpine, v2.1.20, v2.1.21
    • d186161ae8e33cd7702dd2a6c0337deb14e2b178542d232129c0da64b1af06e4 (SHA256) - Image digest (linux/amd64) for alpine, v2.1.20, v2.1.21
    • 415610a42c5b51347709e315f5efb6fffa588b6ebc1b95b24abf28088347791b (SHA256) - Image digest (linux/arm64) for alpine, v2.1.20, v2.1.21
    • 222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b (SHA256) - Index manifest digest for debian, v2.1.20-debian, v2.1.21-debian
    • a6871deb0480e1205c1daff10cedf4e60ad951605fd1a4efaca0a9c54d56d1cb (SHA256) - Image digest (linux/amd64) for debian, v2.1.20-debian, v2.1.21-debian
    • ff7b0f114f87c67402dfc2459bb3d8954dd88e537b0e459482c04cffa26c1f07 (SHA256) - Image digest (linux/arm64) for debian, v2.1.20-debian, v2.1.21-debian
    • a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0 (SHA256) - Index manifest digest for latest
    • 26e8e9c5e53c972997a278ca6e12708b8788b70575ca013fd30bfda34ab5f48f (SHA256) - Image digest (linux/amd64) for latest
    • 7391b531a07fccbbeaf59a488e1376cfe5b27aef757430a36d6d3a087c610322 (SHA256) - Image digest (linux/arm64) for latest
  • File Paths:
    • ~/.checkmarx/mcp/mcpAddon.js - Path where the malicious MCP addon is written to disk
    • .github/workflows/format-check.yml - Malicious GitHub Actions workflow injected by the worm
    • format-results.txt - Artifact file containing exfiltrated GitHub secrets
  • Command Lines:
    • Purpose: Enumerate GitHub authentication tokens | Tools: cmd.exe, gh | Stage: Credential Access | cmd.exe /d /s /c "gh auth token"
    • Purpose: Enumerate Google Cloud credentials | Tools: cmd.exe, gcloud | Stage: Credential Access | cmd.exe /d /s /c "gcloud config config-helper --format json"
    • Purpose: Enumerate Azure access tokens | Tools: cmd.exe, az | Stage: Credential Access | cmd.exe /d /s /c "az account get-access-token --output json
    • Purpose: Enumerate Azure Developer CLI tokens | Tools: cmd.exe, azd | Stage: Credential Access | cmd.exe /d /s /c "azd auth token --output json
  • Other:
    • checkmarx/cx-dev-assist@1.19.0 - Compromised VS Code extension
    • checkmarx/cx-dev-assist@1.17.0 - Compromised VS Code extension
    • checkmarx/ast-results@2.66.0 - Compromised VS Code extension
    • checkmarx/ast-results@2.63.0 - Compromised VS Code extension
    • 68ed490b - Malicious backdated Git commit containing mcpAddon.js
    • LongLiveTheResistanceAgainstMachines: - Commit message pattern used in exfiltration repositories

Related