Introduction
In early 2026, two significant supply chain attacks targeted popular Docker Hub images—Trivy and Checkmarx KICS. In both incidents, attackers used stolen publisher credentials to push malicious container images through legitimate publishing workflows. Docker’s infrastructure remained intact, but anyone who pulled the compromised tags during the exposure window faced potential data exfiltration. The compromised KICS images, for example, collected scan output containing secrets, credentials, and cloud topology, then encrypted and sent it to attacker-controlled servers. This guide walks you through the actions you must take if you may have been affected, and how to protect your software supply chain going forward.
What You Need
- Access to your CI/CD pipeline logs and Docker pull history
- A list of Docker images and tags used in your environments
- Your credential management system (e.g., vault, secrets manager)
- Administrative permissions to clear local and remote container caches
- A text editor or terminal for running commands
- Your organization’s incident response plan (if any)
Step-by-Step Response
Step 1: Identify If You Pulled Compromised Images
Start by checking your Docker pull history across all systems—local developer machines, CI runners, and production clusters. Focus on the checkmarx/kics repository. The following malicious digests were published between April 22 and April 23, 2026:
- For alpine, v2.1.20, v2.1.21: Index manifest digest
sha256:2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d - For debian, v2.1.20-debian, v2.1.21-debian: Index manifest digest
sha256:222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b - For latest: Index manifest digest
sha256:a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0
If you see any of these digests in your history, assume you are compromised. Even if you only used the latest tag, the attacker overwrote it. If you pulled any tag from this repository during April 22–23, check the actual digest your system downloaded.
Step 2: Rotate All Credentials That May Have Been Exposed
Because KICS scans configuration files (Terraform, CloudFormation, Kubernetes), the exfiltrated output likely contained secrets, API keys, and cloud resource identifiers. Immediately rotate any credentials that were in the scope of a KICS run during the exposure window. This includes:
- Cloud provider access keys (AWS, Azure, GCP)
- Database connection strings and passwords
- Service account tokens
- SSH private keys
- Any other secrets present in the scanned repositories
Use your secrets management system to generate new keys and update all dependent services. Do not rely on the old credentials—assume they are now in the hands of the attacker.
Step 3: Re-pull the Legitimate Image by Digest, Not Tag
Checkmarx has since published clean images. To ensure you get the correct version, pull the image using its digest instead of a tag. For example:
docker pull checkmarx/kics@sha256:<correct_digest>Contact Checkmarx or check their official announcement for the latest verified digest. Once you have it, update all your CI/CD pipelines, Dockerfiles, and deployment manifests to reference the digest. This prevents a future tag overwrite from silently affecting you.
Step 4: Purge Malicious Images from All Caches and Registries
The compromised images may still be present in:
- Local Docker daemon caches
- CI runner disk images
- Pull-through registry caches (e.g., Artifactory, AWS ECR pull-through)
- Kubernetes node images
Run docker rmi on each malicious digest. For Kubernetes, consider using a tool like kubectl delete pods followed by image cleanup on nodes. For registry caches, remove the cached layers corresponding to the malicious digests. You want to eliminate any copy of the attacker’s image from your environment.
Step 5: Implement Image Pinning and Verification
To prevent future compromises, adopt these practices:
- Always pin by digest in production deployments and CI scripts. Tags are mutable; digests are immutable.
- Use Docker Content Trust (DCT) or Notary to sign and verify images.
- Leverage policy engines (e.g., OPA, Kyverno) to enforce that only signed images with known digests can be deployed.
- Monitor for unauthorized images using runtime security tools that detect anomalous behavior (e.g., unexpected outbound connections to unknown domains).
Step 6: Monitor for Post-Compromise Activity
Even after rotating secrets and cleaning images, monitor your environment for signs of continued exploitation. Look for:
- Network connections to
audit.checkmarx[.]cxor similar unknown endpoints - Unexplained credential usage in cloud audit logs
- New containers running malicious images
- Scan output being sent to external services
Set up alerts for any outbound traffic from container workloads to unexpected external IPs. Retain logs for forensic analysis.
Tips for Long-Term Prevention
- Collaborate openly with the security community. Both Trivy and KICS incidents were detected and reported rapidly because of shared intelligence. Join threat-sharing groups and subscribe to advisories.
- Audit your publisher credentials. Ensure the credentials used for publishing images are protected with multi-factor authentication and have minimal permissions. Rotate them regularly.
- Use separate accounts for publishing and consuming images. If possible, avoid pulling from the same account used for pushing.
- Test your incident response plan with tabletop exercises that simulate a supply chain attack. Practice the steps above before a real incident occurs.
- Keep your tooling up-to-date – vulnerability scanners and admission controllers can catch malicious images if they have up-to-date signatures and rules.
By following these steps, you can recover from a Docker Hub supply chain compromise and reduce the risk of future attacks. The key is to act quickly, rotate everything, and shift to immutable references.