Supply Chain Attacks on Docker Hub: Lessons from the KICS and Trivy Compromises

Introduction

In recent weeks, the software supply chain security community has witnessed two significant compromises on Docker Hub involving widely used security tools: Trivy and Checkmarx KICS. Both incidents followed a similar pattern—compromised publisher credentials allowed threat actors to push malicious container images through legitimate publishing pipelines. While Docker's infrastructure remained uncompromised, anyone who pulled the affected tags during the exposure window had their supply chain temporarily exposed. This article provides a detailed account of the KICS incident, outlines the attack mechanics, lists the compromised images, and offers actionable steps for users to protect themselves—along with broader lessons for defending against such threats.

Overview of the Incidents

The Trivy Incident

In a prior event, malicious actors used stolen credentials to overwrite existing tags in the Trivy repository on Docker Hub. Although not detailed here, the incident underscored how quickly a trusted tool can become a vector for supply chain compromise. The KICS attack, which occurred a few weeks later, mirrored the same approach, highlighting a systematic vulnerability in how software is distributed via public registries.

The KICS Incident

On April 22, 2026 at approximately 12:35 UTC, a threat actor authenticated to Docker Hub using valid Checkmarx publisher credentials and pushed malicious images to the checkmarx/kics repository. Five existing tags were overwritten to malicious digests: latest, v2.1.20, v2.1.20-debian, alpine, and debian. Additionally, two new tags were created: v2.1.21 and v2.1.21-debian. Critically, the images were built from an attacker-controlled source repository, not from Checkmarx's official source code.

Jump to attack mechanics

Attack Mechanics and Exfiltration Methods

The poisoned KICS binary was designed to maintain the legitimate scanning functionality while secretly exfiltrating sensitive data. It collected the scan output—which commonly includes secrets, credentials, cloud resource names, and internal topology when scanning configuration files like Terraform, CloudFormation, and Kubernetes manifests—encrypted it, and sent it to attacker-controlled infrastructure at audit.checkmarx[.]cx. The network request used the User-Agent KICS-Telemetry/2.0, likely to evade detection as legitimate telemetry traffic.

By keeping the scanning surface intact, the attackers ensured that users would not immediately notice any malfunction. The quiet exfiltration path made the attack subtle, allowing malicious images to persist in CI pipelines and local caches until discovered.

Affected Images and Detection

Users who pulled any of the following malicious digests during the exposure window should treat their environment as compromised. Below is the list of affected index manifest digests and associated image digests for each architecture.

For tags: alpine, v2.1.20, v2.1.21

• Index manifest digest: sha256:2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d
• Image digest (amd64): sha256:d186161ae8e33cd7702dd2a6c0337deb14e2b178542d232129c0da64b1af06e4
• Image digest (arm64): sha256:415610a42c5b51347709e315f5efb6fffa588b6ebc1b95b24abf28088347791b

For tags: debian, v2.1.20-debian, v2.1.21-debian

• Index manifest digest: sha256:222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b
• Image digest (amd64): sha256:a6871deb0480e1205c1daff10cedf4e60ad951605fd1a4efaca0a9c54d56d1cb
• Image digest (arm64): sha256:ff7b0f114f87c67402dfc2459bb3d8954dd88e537b0e459482c04cffa26c1f07

For tag: latest

• Index manifest digest: sha256:a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0
• Image digest (amd64): sha256:26e8e9c5e53c972997a278ca6e12708b8788b70575ca013fd30bfda34ab5f48f
• Image digest (arm64): sha256:7391b531a07fccbbeaf59a488e1376cfe5b27aef757430a36d6d3a087c610322

See what to do if affected

Immediate Actions for Users

If your CI system ran KICS against any repository that contained credentials in scope during the exposure window, take the following steps immediately:

1. Rotate credentials that were in scope for those scans, including API keys, tokens, and database passwords.
2. Re-pull checkmarx/kics by digest, not tag, and update your CI configuration to pin to a known-good digest. This ensures that a future tag overwrite cannot silently affect you again.
3. Purge malicious digests from all locations: local Docker caches, CI runner caches, and any pull-through registries or mirrored repositories.

For guidance on verifying image integrity, refer to Docker's documentation on image digests. Organizations should also consider implementing attestation frameworks and binary authorization policies to restrict image pulls to verified artifacts only.

Broader Implications for Supply Chain Security

The repeated pattern—credential theft enabling image overwrites through official publishing flows—highlights a critical gap in the software supply chain ecosystem. Defenders must invest in strong authentication mechanisms such as hardware-based keys, short-lived tokens, and multi-factor authentication for publisher accounts. Additionally, monitoring for unexpected tag changes or new digests on official images can provide early warning.

Container registries could adopt tag immutability or digest-based trust policies to prevent overwriting existing tags without explicit approval. The open, fast collaboration shown by Docker and Checkmarx in responding to these incidents sets a positive example, but proactive measures are far more effective than reactive cleanup.

Conclusion

The Trivy and KICS compromises serve as a wake-up call for the software industry. With supply chain attacks becoming more sophisticated, relying solely on the reputation of a tool's maintainer is no longer sufficient. By adopting digest pinning, rotating credentials after potential exposure, and advocating for registry-level safeguards, the community can reduce the blast radius of future incidents. Vigilance and collective action remain our strongest defense.