Malicious Docker Images Discovered in Checkmarx Supply Chain

Cybersecurity researchers warned on April 24, 2026, about malicious Docker images that were injected into the official "checkmarx/kics" repository on Docker Hub. According to a recent alert from the software supply chain security firm Socket, unknown threat actors managed to overwrite existing tags, including versions v2.1.20 and alpine. Additionally, a new tag v2.1.21 was introduced, which does not correspond to an official release. The discovery of these malicious images raises serious questions about the security of the software supply chain.

The affected tags were manipulated during April 2026, indicating that the attackers may have extensive knowledge of Checkmarx's infrastructure. Socket has classified the affected versions as potentially dangerous and recommends that users remove them immediately. The vulnerability could have significant implications for companies relying on the integrity of Checkmarx software. Checkmarx is known for its solutions for code security checks and identifying vulnerabilities in software projects. The manipulation of the Docker images could lead to malicious code being deployed in production environments.

Socket also pointed out in its warning that the attackers may attempt to gain control over users' software environments. This could occur through the insertion of malware or exploiting vulnerabilities in the software. The security firm advises reviewing and potentially deleting all affected images. These incidents are part of a larger trend where cybercriminals increasingly target software supply chains. Such attacks are often difficult to detect and can have far-reaching consequences.

The security community has observed an increase in such incidents in recent years, highlighting the need to implement security measures in software development. Checkmarx has responded to the incidents and is working to restore the integrity of its repository. The company has announced plans to implement additional security measures to prevent future attacks; however, the specific nature of these measures has not yet been disclosed. The incidents underscore the importance of security reviews in software development.

Companies are urged to regularly review their dependencies and ensure they only use trusted sources. Socket emphasized that users should remain vigilant and regularly check their systems for anomalies. The vulnerability affects not only Checkmarx users but could also impact other companies using similar technologies. The attackers may attempt to extend their methods to other software repositories. The security community is closely monitoring the situation to track further developments.

Socket has urged users to update their systems immediately and remove all unauthorized versions. The security firm plans to provide further information on the incidents in the coming days. The exact number of affected users and systems is currently unclear. The vulnerability has been classified as critical, and the affected versions are no longer secure. Socket recommends deleting all affected images and reverting to official versions.

The security firm has already begun analyzing the incidents and will publish the results shortly. The incidents have already led to increased attention on the security of software supply chains. Companies are challenged to rethink and potentially adjust their security strategies. The vulnerability could have far-reaching consequences for the entire industry. The vulnerability affects versions v2.1.20 and alpine, which were overwritten by the attackers. The new version v2.1.21 is unofficial and should therefore not be used.