Docker flagged suspicious activity in the official checkmarx/kics Docker Hub repository, leading Socket to uncover malicious images with data exfiltration capabilities. The poisoned images, including overwritten tags v2.1.20 and alpine plus a fake v2.1.21 tag, contained a modified binary that could generate scan reports, encrypt them, and send them to an external endpoint. Teams using these images to scan IaC files (e.g., for credentials in AWS or K8s configs) are at risk. The investigation also revealed related VS Code extension releases (versions 1.17.0 and 1.19.0) that could download and execute remote JavaScript via the bun runtime without user confirmation. Evidence points to a broader supply chain compromise across multiple official distribution channels, not just Docker Hub.
Sort: