In late April 2026, two significant supply chain compromises struck Docker Hub, targeting the popular security tools Trivy and Checkmarx KICS. Both incidents followed an eerily similar playbook: threat actors used stolen publisher credentials to push malicious container images through legitimate publishing pipelines—without breaching Docker’s infrastructure. Anyone who pulled the affected tags during the exposure window had their software supply chain briefly exposed. Here are eight critical things you need to know about these attacks, what they mean for your defenses, and how to protect yourself going forward.
1. How the KICS Attack Unfolded
On April 22, 2026, at approximately 12:35 UTC, an attacker used valid Checkmarx publisher credentials to authenticate to Docker Hub and push malicious images to the checkmarx/kics repository. Five existing tags were overwritten (latest, v2.1.20, v2.1.20-debian, alpine, debian) and two new tags (v2.1.21, v2.1.21-debian) were created. The images were built from an attacker-controlled source repository, not from Checkmarx’s own. The malicious binary preserved the scanning functionality but added a stealthy exfiltration path—collected scan output was encrypted and sent to audit.checkmarx[.]cx with a fake User-Agent KICS-Telemetry/2.0.
2. The Parallel Trivy Incident
The KICS attack came just weeks after a similar compromise of the aquasec/trivy repository. In that case too, stolen publisher credentials allowed malicious images to be pushed. The Trivy incident also used tag overwrites and created new tags. Both attacks targeted widely used scanning tools—Trivy for container vulnerabilities, KICS for Infrastructure as Code security. The pattern—credential theft, legitimate push, and quiet data exfiltration—reveals a clear escalation in supply chain tactics aimed at security tooling itself.
3. Stolen Credentials, Not Infrastructure Breach
In both incidents, Docker’s infrastructure remained uncompromised. The breaches occurred because publisher credentials—likely compromised via phishing, credential stuffing, or leaked API keys—gave attackers the same powers as legitimate maintainers. This distinction is crucial: it shifts the responsibility from platform security to credential hygiene and publisher verification. Even if you trust Docker Hub, compromised credentials can open the door wide.
4. What Was Exfiltrated from KICS Users
Because KICS scans Terraform, CloudFormation, Kubernetes, and other configuration files, its scan output routinely contains sensitive data: secrets, cloud credentials, resource names, and internal network topology. The malware encrypted this output and sent it out. If your CI pipeline ran KICS against any repository with credentials in scope during the exposure window (April 22 onward for KICS, earlier for Trivy), those secrets may have been stolen. This is why immediate credential rotation is critical.
5. Immediate Actions for Affected Users
- Rotate all credentials that were within the scope of any KICS or Trivy scan during the exposure window.
- Re-pull checkmarx/kics by digest, not by tag. Use the known-good digests published by Checkmarx.
- Pin your CI to the digest so a future tag overwrite cannot silently affect you again.
- Purge malicious digests from local caches, CI runners, and pull-through registries. The malicious digests are listed in the original advisory.
See the next section for more on why digest pinning is essential.
6. Why Pinning by Digest Is Essential
Docker tags are mutable—they can be pointed to different images over time. This is a feature for updates but a serious risk when credentials are stolen. By pinning to a specific digest (the SHA256 hash of the image content), you ensure you always run the exact same software, regardless of what the tag points to later. Even if an attacker overwrites the tag, your pipeline will continue using the known-good digest. This is a simple, highly effective defense that should be standard for all production container usage.
7. The Power of Open, Fast Collaboration
Both Docker and the affected vendors responded rapidly and transparently. Checkmarx quickly rotated credentials, published malicious digests, and worked with Docker to remove the bad images. This open collaboration allowed the wider community to detect and remediate faster than if the response had been siloed. The case for open, fast collaboration in supply chain security is clear: when publishers share indicators of compromise immediately, everyone benefits. Consider joining industry threat-sharing groups.
8. Long-Term Defensive Investments for the Industry
These attacks highlight that security tooling itself is now a prime target. Defenders should invest in: multi-factor authentication for all publishing accounts; credential rotation policies and monitoring for leaked keys; image signing (e.g., using Notary or Sigstore) to verify provenance; tag immutability where possible; and behavioral monitoring of build pipelines. Additionally, runtime detection of unexpected network connections from scanning tools can catch exfiltration early. The shape of supply chain attacks in 2026 is clear—your defenses must evolve.
These two events are a wake-up call for everyone in the container ecosystem. They prove that supply chain security is not just about scanning your images; it’s about protecting the scanners themselves. By learning from the Trivy and KICS incidents, implementing the immediate fixes, and investing in long-term controls, you can harden your software supply chain against similar attacks.