In 2026, the software supply chain faced two similar attacks on Docker Hub, targeting Trivy and Checkmarx KICS. Both incidents involved stolen publisher credentials used to push malicious images through legitimate workflows, without breaching Docker's infrastructure. The KICS attack exposed users who pulled compromised tags to potential data exfiltration. This Q&A breaks down what happened, the risks, and how to protect your pipeline.
What happened with the KICS supply chain attack on Docker Hub?
On April 22, 2026, at approximately 12:35 UTC, a threat actor used stolen Checkmarx publisher credentials to authenticate to Docker Hub and pushed malicious images to the checkmarx/kics repository. Five existing tags were overwritten with malicious digests: latest, v2.1.20, v2.1.20-debian, alpine, and debian. Two new tags, v2.1.21 and v2.1.21-debian, were also created. The images came from an attacker-controlled source repository, not from Checkmarx. Docker's infrastructure was not compromised; the breach exploited compromised publisher credentials.
How did the attackers compromise the KICS repository?
The attackers obtained valid Checkmarx publisher credentials—likely through phishing, credential stuffing, or a previous breach of Checkmarx systems. Once authenticated, they pushed malicious Docker images directly to the official checkmarx/kics repository on Docker Hub. This method bypasses typical security controls because the publisher account is trusted by Docker Hub. The attack mirrors the earlier Trivy incident, where stolen credentials were used in the same way. There were no vulnerabilities in Docker Hub itself; the weak link was the credential management of the software publisher.
What was the malicious payload in the compromised KICS images?
The poisoned binary kept the legitimate scanning interface intact to avoid suspicion but added a quiet exfiltration path. Scan output—including secrets, credentials, cloud resource names, and internal topology—was collected, encrypted, and sent to attacker-controlled infrastructure at audit.checkmarx[.]cx. The network request used the User-Agent KICS-Telemetry/2.0 to blend in. Because KICS scans Terraform, CloudFormation, and Kubernetes configs, the stolen data is highly valuable for further attacks. The exfiltration was designed to be silent: no errors, no performance degradation, and legitimate scan results were still produced.
Which specific tags and digests were affected?
The following malicious digests were pushed (any match in your pull history means you pulled a compromised image):
- For alpine, v2.1.20, v2.1.21: Index manifest
sha256:2588… - For debian, v2.1.20-debian, v2.1.21-debian: Index manifest
sha256:222e… - For latest: Index manifest
sha256:a0d9…
Each index manifest includes separate digests for amd64 and arm64 architectures (e.g., amd64 sha256:d186… for alpine). If your CI pulled any of these tags between April 22 and the time of awareness, your environment may be compromised.
What should users do if they pulled the malicious KICS images?
Immediately rotate all credentials that were in scope when KICS ran on your repositories during the exposure window. The exfiltrated data may include API keys, cloud access tokens, and internal network details. Next, re-pull checkmarx/kics by digest—not by tag—to ensure you get the legitimate image. Pin your CI/CD pipelines to that digest so any future overwrite cannot silently affect you again. Purge the malicious digests from local caches, CI runner images, and pull-through registries. Finally, monitor network logs for connections to audit.checkmarx[.]cx and review access logs for suspicious activity.
How does this attack compare to the Trivy incident?
The KICS attack follows the exact same pattern as the earlier Trivy compromise: stolen publisher credentials, unchanged Docker Hub infrastructure, and malicious images pushed through authorized workflows. Both incidents targeted popular scanning tools, because their output is rich in secrets and cloud context. The key difference lies in the exfiltration mechanism: Trivy's malicious version used a different endpoint and User-Agent. Both attacks underscore that credential hygiene and image verification by digest are critical defenses. The recurrence within weeks signals that attackers are systematically targeting Docker Hub publishers with valuable security tools.
What does this pattern reveal about supply chain security?
These twin attacks highlight a fundamental weakness: publisher credentials remain a single point of failure in container supply chains. Even with no infrastructure breach, an attacker with valid credentials can silently compromise every downstream user. The pattern demands investment in (1) multi-factor authentication and credential rotation for publishing accounts, (2) digital signing of images with notary/v2 or similar, and (3) automated monitoring for unexpected tag changes. Defenders must move from trusting tags to trusting digests, and from reactive scanning to proactive credential hardening. Open, fast collaboration between publishers and users is essential to limit blast radius.