Checkmarx KICS Docker images and VS Code extensions (TeamPCP): mcpAddon.js multi-cloud stealer, orphan commit staging, GitHub Actions workflow injection

TeamPCP compromised two official Checkmarx distribution channels on April 22, 2026: the checkmarx/kics Docker Hub repository and four versions of Checkmarx VS Code and OpenVSX extensions. First reported by Docker and the Socket Research Team, the compromise was publicly claimed by TeamPCP via a post from @pcpcats: "Thank you OSS distribution for another very successful day at PCP inc."

The two delivery channels use different payloads but share the same C2 infrastructure: audit.checkmarx[.]cx/v1/telemetry. The VS Code extension payload (mcpAddon.js) is the first documented instance of the TeamPCP credential-stealing framework operating on developer workstations rather than CI/CD runners — expanding the attack surface from build infrastructure to the developer's local machine.

Docker Hub: trojanized kics binary

Attackers overwrote Docker Hub tags v2.1.20, v2.1.20-debian, debian, alpine, and latest with a trojanized image, and published a fake v2.1.21 tag that never corresponds to a legitimate upstream release. The bundled kics Go binary was modified to:

1. Generate an uncensored scan report including any credentials or secrets found in the scanned infrastructure-as-code
2. Encrypt the report with an attacker-controlled key
3. Send the encrypted report to audit.checkmarx[.]cx/v1/telemetry

Any team running KICS against Terraform, CloudFormation, or Kubernetes configurations with embedded credentials or secret references should treat that material as potentially exfiltrated. The trojanized tags were subsequently restored to the prior legitimate release; the fake v2.1.21 tag was deleted. Verification requires matching pulled image digests against the compromised SHA-256 digests below.

VS Code extensions: mcpAddon.js via orphan commit

Four extension versions contain a hidden "MCP addon" feature that activates on extension startup:

• checkmarx/cx-dev-assist versions 1.17.0 and 1.19.0
• checkmarx/ast-results versions 2.63.0 and 2.66.0

On activation, the feature silently downloads mcpAddon.js from a hardcoded GitHub URL pointing to an orphaned, backdated commit (68ed490b) inside the legitimate Checkmarx/ast-vscode-extension repository. The commit is spoofed to appear authored in 2022 with a benign-looking message — invisible through routine code review. The 10 MB second-stage payload sits outside active branch history and is executed via Bun.

mcpAddon.js: credential stealer and worm propagator

mcpAddon.js is a multi-stage framework with three operational phases:

Phase 1 — Credential collection: GitHub auth tokens, AWS credentials, Azure tokens (including Az.Accounts module enumeration across tenants), Google Cloud credentials, npm configuration files, SSH keys, environment variables, Claude and MCP configuration files. All results are compressed and encrypted before exfiltration over HTTPS to audit.checkmarx[.]cx/v1/telemetry.

Phase 2 — GitHub exfiltration staging: Using stolen GitHub tokens, creates public repositories under each victim account with description "Checkmarx Configuration Storage" and names matching the <word>-<word>-<3 digits> pattern. Commits encrypted payload, wrapped key, and token material to these repositories.

Phase 3 — Propagation through two vectors:

• GitHub Actions injection: Commits .github/workflows/format-check.yml using ${{ toJSON(secrets) }} to serialize every repository secret into a workflow artifact, retrieves it via the Actions API, then deletes the branch and workflow run. This extracts secrets from repositories where the victim has push access without leaving visible evidence.
• npm republishing: Enumerates packages the victim can publish via the authenticated /-/org/<user>/package endpoint and republishes them with the malicious payload injected. This is the worm propagation mechanism — stolen npm tokens extend the campaign to downstream packages.

The compromised Docker image's kics ELF binary shares the same C2 infrastructure as mcpAddon.js, confirming common operator control of both delivery channels.

Indicators of compromise

Docker image digests (compromised, SHA-256):

Group 1 (alpine, v2.1.20, v2.1.21):

• Index: sha256:2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d
• linux/amd64: sha256:d186161ae8e33cd7702dd2a6c0337deb14e2b178542d232129c0da64b1af06e4
• linux/arm64: sha256:415610a42c5b51347709e315f5efb6fffa588b6ebc1b95b24abf28088347791b

Group 2 (debian, v2.1.20-debian, v2.1.21-debian):

• Index: sha256:222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b
• linux/amd64: sha256:a6871deb0480e1205c1daff10cedf4e60ad951605fd1a4efaca0a9c54d56d1cb
• linux/arm64: sha256:ff7b0f114f87c67402dfc2459bb3d8954dd88e537b0e459482c04cffa26c1f07

Group 3 (latest):

• Index: sha256:a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0
• linux/amd64: sha256:26e8e9c5e53c972997a278ca6e12708b8788b70575ca013fd30bfda34ab5f48f
• linux/arm64: sha256:7391b531a07fccbbeaf59a488e1376cfe5b27aef757430a36d6d3a087c610322

File hashes (SHA-256):

• mcpAddon.js: 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9
• kics ELF binary: 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50

Network indicators (defanged):

• audit.checkmarx[.]cx — C2 / exfiltration endpoint
• 94.154.172[.]43 — C2 IP

Filesystem artifact: ~/.checkmarx/mcp/mcpAddon.js

GitHub artifacts:

• Unexpected public repositories under victim accounts with description "Checkmarx Configuration Storage"
• Commit messages beginning LongLiveTheResistanceAgainstMachines:
• Unexpected .github/workflows/format-check.yml referencing ${{ toJSON(secrets) }}

Remediation

• Docker: Stop containers running compromised tags. Verify pulled image digests against the SHA-256 digests above. Use docker pull checkmarx/kics@sha256:<verified-clean-digest> — pull by digest rather than tag going forward.
• VS Code: Uninstall affected extension versions. Delete ~/.checkmarx/mcp/mcpAddon.js.
• Rotate all exposed credentials: GitHub tokens, SSH keys, AWS/Azure/GCP credentials, npm publishing tokens, Kubernetes configs, environment-variable secrets, Claude and MCP configuration material.
• Audit GitHub for "Checkmarx Configuration Storage" repositories and format-check.yml workflow commits. Delete unauthorized repositories and revoke the tokens used to create them.
• Review npm packages you maintain for unexpected versions published via stolen tokens.
• Pin Docker images to verified digests rather than mutable tags. Pin GitHub Actions to full commit SHAs.

Criminal-market signal

No dark-web presence for Checkmarx KICS compromise tooling has been observed. TeamPCP public self-attribution via @pcpcats on April 22, 2026 — the same day as the compromise — confirms the operator-run model and is inconsistent with commodity marketplace behavior. H2 (operator-run, no dark-web market) is confirmed by self-attribution evidence at Layer 1.