Supply Chain Attacks on Docker Hub: Lessons from the Trivy and KICS Incidents

In early 2026, two separate but strikingly similar supply chain attacks shook the container security community. Threat actors compromised the Docker Hub repositories for Trivy and Checkmarx KICS—two widely used security scanning tools—by stealing publisher credentials. Both incidents involved overwriting legitimate image tags with malicious digests, exposing users who pulled those tags to stealthy data exfiltration. This Q&A breaks down what happened, how to check if you were affected, and what these attacks reveal about the evolving threat landscape.

1. What exactly happened in the Trivy and KICS Docker Hub compromises?

In both incidents, attackers gained access to legitimate publisher credentials for the official Docker Hub repositories of Trivy (an open-source vulnerability scanner) and Checkmarx KICS (an infrastructure-as-code security tool). Using these stolen credentials, they pushed malicious container images that overwrote existing tags and created new ones. The attacks occurred within weeks of each other: the Trivy compromise first, then the KICS incident on April 22, 2026. Crucially, Docker’s own infrastructure was not breached—the attacks exploited compromised accounts with valid publishing rights. The malicious images were built from attacker-controlled source repositories and included a hidden exfiltration component that collected sensitive scan output and sent it to external servers.

2. How were attackers able to push malicious images without breaching Docker's infrastructure?

The attackers used stolen publisher credentials—likely obtained through phishing, credential stuffing, or previous breaches—to authenticate as legitimate maintainers. Once authenticated, they had the same permissions as the original publishers: they could push image manifests and tags to the repository. This means they bypassed any need to compromise Docker Hub’s servers, registry software, or authentication mechanisms. The attack surface was not technical infrastructure but human and process weaknesses: weak password hygiene, lack of multi-factor authentication (MFA), or insufficient access controls. The pattern highlights that even highly secure registries are only as safe as the credentials used to publish images.

3. What was the nature of the malicious payload in the KICS images?

The KICS malicious images contained a modified binary that preserved the tool’s legitimate scanning functionality—so it would still produce valid output—but added a quiet exfiltration path. Scan results (which often contain secrets, credentials, cloud resource names, and internal topology from Terraform, CloudFormation, and Kubernetes files) were encrypted and sent to an attacker-controlled domain: audit.checkmarx[.]cx. The exfiltration used a custom User-Agent KICS-Telemetry/2.0 to blend in. Because KICS is designed to scan configuration files that frequently hold sensitive information, the data exfiltrated would be highly valuable for lateral movement or further attacks. The attackers kept the surface intact to avoid immediate detection by users expecting normal scan output.

4. Which specific tags and digests were compromised in the KICS attack?

The threat actor overwrote five existing tags (latest, v2.1.20, v2.1.20-debian, alpine, debian) and created two new tags (v2.1.21, v2.1.21-debian). The malicious index manifest digests are:

• For alpine, v2.1.20, v2.1.21: sha256:2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d
• For debian, v2.1.20-debian, v2.1.21-debian: sha256:222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b
• For latest: sha256:a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0

If your pull history contains any of these digests (including amd64/arm64 variants), treat the image as malicious. Full details are in the next section.

5. How can users check if they pulled the malicious images and what should they do?

First, examine your Docker pull history for any of the malicious index manifest digests or image digests listed in question 4. If you use a CI/CD system, check your cached or pulled images. The exposure window for KICS ran from April 22, 2026, until the incident was detected and the tags were cleaned. For affected users, the key action is rotating any credentials that were present in the repositories scanned by KICS during that window—since scan output was exfiltrated. Next, re-pull the official KICS image by digest (not tag) to ensure you get the legitimate version. Finally, pin your CI pipelines to the verified digest so future tag overwrites do not silently affect you. Also purge the malicious digests from local caches, CI runners, and any pull-through registries.

6. What does this pattern reveal about supply chain security and future defenses?

These two incidents highlight a critical shift: attackers are targeting the publishing layer rather than the infrastructure itself. Stolen credentials from maintainers now pose the greatest risk to container registries. This pattern demands stronger authentication measures for publishers, such as mandatory MFA, hardware-bound keys, and automated anomaly detection on registry actions. For consumers, the key lesson is to never trust tags alone—always pin images by digest in production environments. Furthermore, organizations should implement runtime monitoring of container behavior, such as unexpected network connections, to detect exfiltration. The speed of collaboration between Docker, Checkmarx, and the security community in responding to these attacks underscores the need for open, fast information sharing.

7. Why is pinning by digest recommended over tags?

Tags are mutable pointers—they can be overwritten at any time by anyone with publisher credentials. In both the Trivy and KICS attacks, the threat actor simply overwrote existing tags (latest, alpine, debian) with malicious digests. Any user or CI pipeline pulling by tag received the compromised version without any warning. Digest pinning uses the immutable content hash of the image manifest, which cannot be changed without producing a different digest. So, docker pull checkmarx/kics@sha256:... guarantees you get exactly the verified image. Best practice: in your Dockerfiles, Kubernetes manifests, or CI scripts, always reference images by digest after you have validated them. This breaks the attack chain of tag overwrites, even if credentials are later stolen.