Cybersecurity researchers have detected an active campaign against the official Docker Hub repository checkmarx/kics. According to an advisory from the firm Socket, unknown actors managed to overwrite legitimate tags such as v2.1.20 and alpine, in addition to creating a fake v2.1.21 tag. The incident exposes risks in the software supply chain and affects teams that blindly trust official images.
How the attack works and which tags are compromised 🛡️
The attack exploits the ability to overwrite existing tags on Docker Hub without requiring a new release. The v2.1.20 and alpine tags were replaced with malicious versions, while the v2.1.21 tag does not correspond to any official Checkmarx release. Socket recommends verifying the hash of downloaded images and avoiding the use of latest or alpine tags until further notice. The incident highlights the importance of signing images and using immutable references like SHA256.
The attack that turns a container into a container of surprises 😅
Because there's nothing like waking up, running a docker pull, and discovering that your security image now comes with an extra dose of malware. The attackers, apparently, decided that the alpine tag needed a more... alpine touch. The worst part is that the v2.1.21 tag sounds so official that even KICS itself would have been confused. Good thing it's just an alert; we'll see in the next patch whether it's time to disinfect the cluster or change hobbies.