Supply Chain Attacks on Docker Hub: Lessons from the KICS and Trivy Incidents
By
<h2 id="overview">Overview</h2>
<p>In early 2026, the software supply chain faced two similar attacks on Docker Hub: first targeting the Trivy vulnerability scanner, then the <strong>Checkmarx KICS</strong> infrastructure-as-code scanning tool. Both incidents involved threat actors using stolen publisher credentials to push malicious container images through legitimate publishing workflows. Neither attack compromised Docker's infrastructure itself, but the impact rippled through any organization that pulled the compromised tags. This article details the KICS incident and the broader pattern that defenders must address.</p><figure style="margin:20px 0"><img src="https://www.docker.com/app/uploads/2025/03/image.png" alt="Supply Chain Attacks on Docker Hub: Lessons from the KICS and Trivy Incidents" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.docker.com</figcaption></figure>
<h2 id="the-kics-incident-a-closer-look">The KICS Incident: A Closer Look</h2>
<p>On April 22, 2026, at approximately 12:35 UTC, an unauthorized actor authenticated to Docker Hub using valid credentials belonging to Checkmarx. They then pushed malicious images to the <code>checkmarx/kics</code> repository. Five existing tags were overwritten with malicious digests: <code>latest</code>, <code>v2.1.20</code>, <code>v2.1.20-debian</code>, <code>alpine</code>, and <code>debian</code>. Two new tags, <code>v2.1.21</code> and <code>v2.1.21-debian</code>, were also created. The malicious images were built from an attacker-controlled source repository, not from Checkmarx's official codebase.</p>
<h3 id="what-the-attackers-did">What the Attackers Did</h3>
<p>The poisoned KICS binary kept the legitimate scanning functionality intact but added a quiet exfiltration path. Scan output was collected, encrypted, and sent to attacker-controlled infrastructure at <code>audit.checkmarx[.]cx</code> using the User-Agent <code>KICS-Telemetry/2.0</code>. Because KICS scans configuration files such as Terraform, CloudFormation, and Kubernetes manifests, its output routinely contains <strong>secrets, credentials, cloud resource names, and internal topology</strong>—making this exfiltration particularly dangerous.</p>
<h2 id="affected-digests-and-immediate-steps">Affected Digests and Immediate Steps</h2>
<p>If your pull history includes any of the following digests, those images should be treated as malicious and purged immediately:</p>
<ul>
<li><strong>For alpine, v2.1.20, v2.1.21:</strong> Index manifest digest <code>sha256:2588a44890...</code>; amd64 image digest <code>sha256:d186161ae8...</code>; arm64 image digest <code>sha256:415610a42c...</code></li>
<li><strong>For debian, v2.1.20-debian, v2.1.21-debian:</strong> Index manifest digest <code>sha256:222e6bfed0...</code>; amd64 image digest <code>sha256:a6871deb04...</code>; arm64 image digest <code>sha256:ff7b0f114f...</code></li>
<li><strong>For latest:</strong> Index manifest digest <code>sha256:a0d9366f6f...</code>; amd64 image digest <code>sha256:26e8e9c5e5...</code>; arm64 image digest <code>sha256:7391b531a0...</code></li>
</ul>
<p>If your CI system ran KICS against any repository that had credentials in scope during the exposure window, <strong>rotate those credentials immediately</strong>. Re-pull <code>checkmarx/kics</code> by digest, not by tag, and pin your CI configuration to the digest so a future overwrite cannot silently affect you again. Purge the malicious digests from local caches, CI runners, and any pull-through registries.</p><figure style="margin:20px 0"><img src="https://www.docker.com/app/uploads/2025/03/image-1024x1024.png" alt="Supply Chain Attacks on Docker Hub: Lessons from the KICS and Trivy Incidents" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.docker.com</figcaption></figure>
<h2 id="the-broader-pattern-and-protecting-your-supply-chain">The Broader Pattern and Protecting Your Supply Chain</h2>
<p>Both the Trivy and KICS attacks follow the same playbook: stolen publisher credentials, tag overwrites, and exfiltration of sensitive data. <strong>No infrastructure breach</strong> of Docker Hub occurred, meaning the attacks exploited trust in the publishing pipeline itself. To defend against such threats:</p>
<ul>
<li><strong>Use digest pinning:</strong> Always reference images by their immutable SHA256 digest rather than mutable tags.</li>
<li><strong>Enable multi-factor authentication (MFA)</strong> for all publisher accounts on container registries.</li>
<li><strong>Monitor for unexpected tag updates</strong> on critical repositories using registry webhooks or third-party tools.</li>
<li><strong>Regularly audit pull histories</strong> and cross-reference against known malicious digests.</li>
<li><strong>Implement supply chain security scanning</strong> to detect anomalies in container behavior, such as unexpected network calls.</li>
</ul>
<h2 id="conclusion">Conclusion</h2>
<p>The KICS and Trivy incidents underscore a critical vulnerability in modern software supply chains: the reliance on credentials that, once stolen, can bypass even well-secured infrastructure. <strong>Fast, open collaboration</strong>—like the coordinated disclosure between Checkmarx and the security community—is essential for minimizing damage. But the deeper lesson is that <em>publishers and consumers must treat tags as untrusted by default</em> and adopt digest-based pinning as a standard practice. Only then can we reduce the blast radius of such supply chain compromises.</p>
Tags: