Last Updated April 2, 2026 On March 23, 2026, Checkmarx identified a cybersecurity supply chain incident affecting certain Checkmarx‑related developer artefacts distributed via third‑party channels. This post contains a structured overview of the incident and the steps we have taken to date, as well as additional resources to support our clients and team members. What Happened On March 23, 2026, Checkmarx was the target of a cybersecurity supply chain incident which affected two specific plugins distributed via the OpenVSX marketplace and two of our GitHub Actions workflows. OpenVSX Plugins On March 23, 2026, at approximately 02:53 UTC, malicious versions of two plugins were published to the OpenVSX registry. Only organizations that downloaded the following artifacts from OpenVSX on 23 March, 2026 between 02:53 UTC and 15:41 UTC and ran it are potentially impacted by this incident. ast-results-2.53.0.vsix cx-dev-assist-1.7.0.vsix The affected plug-ins are no longer available and all older GitHub versions have been permanently removed. Plugins downloaded from the VS Code Marketplace were not affected. Recommended actions The following guidance is provided as a precautionary measure to support customer‑led assessments and remediation, where relevant to their environments. If a client downloaded and ran either of the above extensions from the Open VSX registry, their organization may be affected. If the client organization may have been affected, we strongly recommend taking the following steps as soon as possible. 1. Remove Malicious Components Uninstall the following VSIX extensions from all environments:checkmarx.ast-results-2.53.0.vsix checkmarx.cx-dev-assist-1.7.0.vsix use ast-github-action – v2.3.33 only use kics-github-action – v2.1.20 only Ensure they are removed from:All developer machines All VSCode profiles and environments 2. Revoke and Rotate Credentials GitHub Actions An issue was also identified in KICS and AST GitHub Action on March 23, 2026. The attacker injected malicious payloads into the following GitHub Actions workflows which were available between 12:58 and 16:50 UTC: checkmarx/ast-github-action checkmarx/kics-github-action Maintainers revoked the affected tags, securing access, and preventing unauthorized changes. All GitHub Actions have been updated to the following latest verified releases, and all older versions have been permanently deleted from the organization’s repositories: ast-github-action — v2.3.33 (released March 23, 2026) kics-github-action — v2.1.20 (released March 23, 2026) Both versions are the only ones available in our repos. All pipelines must reference these versions exclusively or newer. Recommended actions If you downloaded the malicious versions of either plugin (ast-results-2.53.0.vsix or cx-dev-assist-1.7.0.vsix) from OpenVSX during the affected period, we strongly recommend following these precautionary steps: Revoke and rotate all secrets and credentials accessible to CI runners during the affected period, including GitHub Personal Access Tokens (PATs), cloud service credentials, and repository or organization-level secrets. Review GitHub Actions runs, search for suspicious indicators such as references to tpcp.tar.gz, aquasecurity, or checkmarx.zone, and check for unexpected repositories like tpcp-docs. In case you spot any occurrences of these, please remove them or contact the Checkmarx Support for guidance. Revoke access to the following tokens, and issue new ones:GitHub credentials Microsoft Azure access Google Cloud (GCP) access AWS access Kubernetes service account tokens and kubeconfigs SSH keys Docker registry credentials Block Malicious Infrastructure by restricting access to checkmarx[.]zone and review historical network traffic for any communication with this domain Review logs and systems for GitHub activity such as unexpected API usage, suspicious repositories or artifacts such as docs-tpcp and/or tpcp.tar.gz, unauthorized releases or CI-triggered changes For any revoked token, key or credentials from previous stages:Review related activity within exposure time frame, to validate no lateral movement took place Monitor for any future attempts to use these credentials to identify ongoing attempts to attack infrastructure Containment & Remediation Upon identification of the issue, we took immediate steps to contain and remediate the incident. We removed the unauthorized code, pinned our workflows to safe verified commit SHAs, revoked and rotated relevant credentials, blocked outbound access to the attacker-controlled domain, and reviewed our environments for any signs of further compromise. Investigation Status We have commenced a formal investigation and engaged external forensic specialists to support that work. This investigation is ongoing and includes investigating the behaviour and objectives of the malicious code. Available information indicates that the primary functionality of the code was focused on the attempted collection and exfiltration of credentials and secrets from affected environments, without evidence to date that such data was successfully exfiltrated from any customer environment. Based on the investigation to date, and subject to the evidential limitations described below, we recommend continued vigilance and that you notify us promptly if you become aware of any suspicious activity. While the investigation is ongoing, to date, we do not have evidence indicating that the incident resulted in unauthorised access to customer data or systems, that data held by Checkmarx has been accessed, nor can we yet confirm that any particular customer environment was compromised. It is important to note that because the affected artefacts execute within customer‑controlled environments, confirmation of whether a particular customer was impacted depends on an assessment of those environments, rather than on telemetry held by Checkmarx. Those CI/CD pipelines and developer workstations are customer‑controlled environments, and Checkmarx does not have independent visibility into their execution or logs. Our Commitment to You If you have any questions or need assistance assessing client exposure, please reach out to our security team at [email protected]. Additionally, we have published detailed assessment and remediation guidance, including indicators of compromise, version information and recommended next steps for customers on our support portal. Protecting the security and privacy of our clients and team members is a responsibility we hold to the highest standard. As part of our commitment to transparency, we will provide updates as appropriate and as our investigation progresses. Frequently Asked Questions How can a customer determine whether its specific environment was affected? “Determining whether a specific environment was affected requires a structured assessment across two vectors: CI/CD pipelines and developer workstations. Assessment — CI/CD pipelines (GitHub Actions): Search all GitHub workflow files (.github/workflows/*.yml) for references to checkmarx/kics-github-action and checkmarx/ast-github-action. If references are identified, determine the version or tag in use (e.g., @main, @v2.3.32, a commit SHA). Ascertain whether any workflow runs referencing these actions occurred during the affected window in March 2026. GitHub Actions run logs are retained for a configurable period and should be reviewed for the relevant timeframe. If runs occurred during the affected window, review runner logs for: outbound connections to checkmarx[.]zone, execution of a setup.sh script not forming part of the customer’s own workflow, or any anomalous network activity. Assessment – Developer workstations (Open VSX plugins): Identify all developers utilizing VS Code within the organization. Determine whether Checkmarx extensions were installed from the Open VSX Registry (open-vsx.org) rather than the official VS Code Marketplace (marketplace.visualstudio.com). Verify the extension version and installation or last-update timestamp. Any Checkmarx VS Code extension installed or auto-updated from the Open VSX Registry during the affected window should be treated as potentially compromised. Inspect the workstation for the relevant plugin directories (refer to FAQ F10 for applicable paths) and review proxy or DNS logs for connections to checkmarx[.]zone. Important note regarding Checkmarx scan-based detection: Executing a Checkmarx SAST or SCA scan against your organization’s codebase will not detect whether your environment was compromised by this incident. The incident involves malicious code executed within a CI/CD runner or IDE environment and does not constitute a vulnerability in application code that a scan would identify. Exposure assessment must be conducted through log analysis, workstation inspection, and credential audit as described above.” How did the compromise happen, how was it discovered, and what is Checkmarx doing to prevent similar supply-chain attacks in the future? See Checkmarx Security Update, 26 March 2026 (https://checkmarx.com/blog/checkmarx-security-update/) Which Checkmarx GitHub Actions and plugins were affected? Both checkmarx/ast-github-action and checkmarx/kics-github-action were affected by this incident, as were the two Open VSX Registry plugins referenced in Checkmarx’s security communications. What IOCs can Checkmarx share (hashes, filenames/folders, domains, IPs, SHAs, setup.sh artifacts)? The following indicators of compromise (IOCs) have been identified through Checkmarx’s investigation and independent third-party security research. The investigation remains ongoing and additional IOCs may be published. Malicious domain / command-and-control infrastructure: checkmarx[.]zone – This attacker-controlled domain was intended to be used for the exfiltration of any stolen credentials and secrets. Any outbound DNS query or HTTP/HTTPS connection to this domain originating from CI/CD runners or developer workstations during the affected window should be treated as a confirmed indicator of compromise. Malicious VSIX filenames (Open VSX): ast-results-[version].vsix cx-dev-assist-[version].vsix The specific filenames checkmarx.ast-results-2.53.0.vsix and checkmarx.cx-dev-assist-1.7.0.vsix have been referenced in customer communications. Customers should evaluate any version downloaded from the Open VSX Registry during the affected window, not solely these specific version numbers. On-disk extension directories: The presence of Open VSX-sourced Checkmarx extension directories within VS Code’s extension folder constitutes a potential indicator. Refer to FAQ F10 for applicable file paths. Runner artifacts (setup.sh): The compromised GitHub Actions injected a script (setup.sh) on the CI/CD runner as part of the action’s initialization sequence. The presence of this script or associated runner artifacts constitutes a behavioral indicator of compromise. The full contents of setup.sh cannot be publicly disclosed at this time given the ongoing investigation. File hashes (SHA256)- sourced from Wiz threat intelligence reporting: ast-results-2.53.0.vsix: 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d cx-dev-assist-1.7.0.vsix: 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0 Which credentials, secrets, or keys must be rotated, and was only GitHub affected or potentially other credentials too? The malicious payload embedded in both the GitHub Actions and the Open VSX plugins was designed to exfiltrate environment variables and secrets from the execution context of the affected GitHub repository. Credentials at risk – GitHub Actions (CI/CD): Any secret configured within the affected GitHub repository or organization and accessible to the workflow at the time the compromised action executed is potentially at risk. This includes, but is not limited to: GITHUB_TOKEN, API keys, cloud provider credentials, database credentials, and Checkmarx API tokens. Credentials at risk – Developer workstations (Open VSX plugin exposure): Any credential accessible within the VS Code environment, including those stored in environment variables, configuration files, or tokens used by the IDE, should be treated as potentially at risk. Credentials requiring rotation: All GitHub repository secrets in any repository or organization where the compromised actions executed. Checkmarx API keys and tokens used within the affected pipelines. Cloud provider credentials (AWS, Azure, GCP) if present as environment variables in affected workflows. All other API keys, tokens, or passwords configured as GitHub secrets or environment variables in the affected workflows. On developer workstations: any tokens or secrets stored in VS Code settings, environment variables, or configuration files where the malicious Open VSX plugin was installed and active. Will Checkmarx provide a formal root-cause analysis (RCA) report? Checkmarx recognizes that many enterprise customers — particularly those in regulated industries or with formal vendor risk management programs — require a written root-cause analysis or incident statement from strategic suppliers following a supply chain security incident such as this. Checkmarx is commited to providing material updates, and preparing a post-incident report. While the investigation is still ongoing — including with support from a third-party forensic firm we have engaged — we expect the report to include: Our findings with respect to the root cause and attack vector exploited by the TeamPCP threat actor, as established by the investigation A timeline of events from initial compromise through detection and remediation Findings with respect to affected artifacts and the scope of customer impact, as confirmed by the investigation The remediation actions taken by Checkmarx Forward-looking preventive controls to enhance Checkmarx’s security posture Does this incident affect Checkmarx One SaaS / cloud or scanning engines, and do SaaS-only customers need to take action? The Checkmarx One SaaS platform, including cloud-hosted scanning engines, the Checkmarx One web application, and associated backend services, do not appear to be affected by this incident. This incident constitutes a supply-chain compromise targeting specific open-source distribution artifacts (GitHub Actions and Open VSX plugins). It does not represent a breach of Checkmarx’s SaaS infrastructure. It does not appear that the threat actor obtained access to Checkmarx One customer tenants, customer data, scan results, or the platform’s internal systems. Notwithstanding the above, SaaS customers who utilize the affected GitHub Actions (checkmarx/kics-github-action or checkmarx/ast-github-action) within their own CI/CD pipelines, or whose developers installed plugins sourced from the Open VSX Registry, may be indirectly affected. We understand the residual risk pertains to the customer’s own CI/CD runner environments and developer workstations on which the malicious code may have executed. Recommended action for SaaS customers: If your organization does not use checkmarx/kics-github-action or checkmarx/ast-github-action in its GitHub pipelines and developers do not use Open VSX-sourced plugins, no specific action with respect to the SaaS platform is required. If the affected GitHub Actions are in use, any runner that executed those actions during the affected window should be treated as potentially compromised, and customers should follow the remediation guidance including credential rotation, log review, and runner inspection. We recommend heightened vigilance at this time. Which versions, tags, and time windows were affected, and which versions are safe now? Affected versions and tags: checkmarx/ast-github-action: 3.32 was compromised. References to @main during the exposure window (March 2026) were compromised. Any unpinned or floating reference that resolved to a compromised commit during the exposure window should be treated as affected. checkmarx/kics-github-action: All versions and tags active on the @main branch during the exposure window (March 2026) were compromised. Any unpinned or floating reference that resolved during the exposure window should be treated as affected. Open VSX plugins: ast-results v2.53.0 was compromised. cx-dev-assist v1.7.0 was compromised. Any version of either plugin installed or auto-updated from the Open VSX Registry during the exposure window should be treated as compromised. Safe versions (post-remediation): checkmarx/ast-github-action v2.3.33 or later has been confirmed clean. checkmarx/kics-github-action: pin to a version or commit SHA published following remediation; customers should confirm the specific safe tag with their Checkmarx account team. Open VSX plugins: reinstall from the official VS Code Marketplace. Current Marketplace versions are confirmed clean. @main as of the date of remediation references clean code; however, pinning to an explicit version tag or commit SHA is strongly recommended as best practice. Exposure window: Malicious artifacts were active during March 2026. The precise commencement date remains under investigation. Any pipeline execution or plugin installation or auto-update occurring during this period should be evaluated for potential exposure. Is a third party involved in the investigation, what is the investigation timeline, and has/will the incident be reported to regulators or law enforcement? Yes. We have appointed external breach counsel, and a leading forensics expert to assist with our investigation. We are unable to provide an estimated timeline. At this stage, we are notifying regulators and law enforcement as we deem necessary.
