{"id":108697,"date":"2026-05-09T19:53:39","date_gmt":"2026-05-09T17:53:39","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=108697"},"modified":"2026-05-22T21:39:29","modified_gmt":"2026-05-22T19:39:29","slug":"ongoing-security-updates","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/","title":{"rendered":"Update: Ongoing Checkmarx Supply Chain Security Incident"},"content":{"rendered":"<style>\n@media (max-width: 991px) {\n  \/* Force the 3-column layout to single column on mobile *\/\n  .post-layout {\n    display: block !important;\n    grid-template-columns: none !important;\n    width: 100% !important;\n    max-width: 100vw !important;\n    overflow-x: hidden !important;\n    padding-left: 0 !important;\n    padding-right: 0 !important;\n  }\n  .post-layout > .content,\n  .post-layout > article.content {\n    width: 100% !important;\n    max-width: 100vw !important;\n    grid-column: 1 \/ -1 !important;\n    padding-left: 16px !important;\n    padding-right: 16px !important;\n    box-sizing: border-box !important;\n    overflow-x: hidden !important;\n  }\n  \/* Hide right sidebar on mobile (it's likely empty \/ supposed to be hidden) *\/\n  .post-layout .sidebar--right { display: none !important; }\n  \/* Left sidebar TOC can also be hidden on mobile since main TOC is removed *\/\n  .post-layout .sidebar--left { display: none !important; }\n<p>  \/* Kill any horizontal overflow on common page wrappers *\/\n  html, body {\n    overflow-x: hidden !important;\n    max-width: 100vw !important;\n    width: 100% !important;\n  }\n  body main,\n  main {\n    overflow-x: hidden !important;\n    max-width: 100vw !important;\n  }\n}\n<p>\/* ============================================================\n   SCOPED INCIDENT STYLES\n   ============================================================ *\/\n<p>\/* Container \u2014 force everything to fit viewport, no matter the parent *\/\n.cx-incident {\n  color: #0E0F11 !important;\n  width: 100% !important;\n  max-width: 100% !important;\n  margin: 0 !important;\n  padding: 0 !important;\n  box-sizing: border-box !important;\n  overflow-x: hidden !important;\n  overflow-y: visible !important;\n  word-wrap: break-word !important;\n  overflow-wrap: break-word !important;\n  position: relative !important;\n}\n<p>@media (max-width: 991px) {\n  .cx-incident {\n    max-width: 100% !important;\n    width: 100% !important;\n    padding-left: 0 !important;\n    padding-right: 0 !important;\n  }\n}\n.cx-incident *,\n.cx-incident *::before,\n.cx-incident *::after {\n  box-sizing: border-box !important;\n  max-width: 100% !important;\n}\n<p>\/* Body text *\/\n.cx-incident p,\n.cx-incident li {\n  font-size: 16px !important;\n  line-height: 1.55 !important;\n  margin: 0 0 14px !important;\n  word-wrap: break-word !important;\n  overflow-wrap: break-word !important;\n}\n.cx-incident strong { font-weight: 600 !important; }\n.cx-incident a {\n  color: #0563c1 !important;\n  text-decoration: underline !important;\n  word-break: break-word !important;\n  overflow-wrap: break-word !important;\n}\n.cx-incident a:hover { color: #6b34fd !important; }\n<p>\/* Lists *\/\n.cx-incident ul,\n.cx-incident ol {\n  margin: 0 0 14px 22px !important;\n  padding: 0 !important;\n}\n.cx-incident li { margin-bottom: 6px !important; }\n<p>\/* Headings *\/\n.cx-incident h2.cx-section-title {\n  color: #F25929 !important;\n  font-size: 28px !important;\n  font-weight: 500 !important;\n  margin: 32px 0 16px !important;\n  letter-spacing: 0.01em !important;\n  line-height: 1.2 !important;\n}\n.cx-incident h3 {\n  font-size: 18px !important;\n  font-weight: 600 !important;\n  margin: 22px 0 10px !important;\n  color: #121185 !important;\n  line-height: 1.3 !important;\n}\n.cx-incident h4 {\n  font-size: 16px !important;\n  font-weight: 600 !important;\n  margin: 16px 0 8px !important;\n  color: #121185 !important;\n  line-height: 1.3 !important;\n}\n<p>\/* ---------- Timeline table ---------- *\/\n.cx-timeline-wrap {\n  margin: 16px 0 28px !important;\n  width: 100% !important;\n}\n.cx-timeline-table {\n  width: 100% !important;\n  border-collapse: collapse !important;\n  border: 1px solid #d8d8e8 !important;\n  table-layout: fixed !important;\n}\n.cx-timeline-table thead th {\n  background: #121185 !important;\n  color: #fff !important;\n  text-align: left !important;\n  padding: 10px 12px !important;\n  font-weight: 600 !important;\n  font-size: 13px !important;\n  border: 1px solid #121185 !important;\n}\n.cx-timeline-table tbody tr {\n  cursor: pointer !important;\n  background: #fff !important;\n}\n.cx-timeline-table tbody tr:nth-child(even) { background: #f6f5ff !important; }\n.cx-timeline-table tbody tr:hover { background: #ece9ff !important; }\n.cx-timeline-table td {\n  padding: 12px !important;\n  vertical-align: top !important;\n  border: 1px solid #d8d8e8 !important;\n  line-height: 1.5 !important;\n  font-size: 14px !important;\n  word-wrap: break-word !important;\n  overflow-wrap: break-word !important;\n}\n.cx-timeline-table td:first-child {\n  font-weight: 600 !important;\n  color: #121185 !important;\n  white-space: nowrap !important;\n}\n.cx-timeline-table td:nth-child(2) { font-weight: 600 !important; }\n.cx-timeline-table .cx-link-col {\n  color: #6b34fd !important;\n  font-weight: 600 !important;\n}\n<p>\/* ---------- Accordion ---------- *\/\n.cx-acc {\n  margin: 8px 0 24px !important;\n  width: 100% !important;\n}\n.cx-acc__item {\n  border: 1px solid #d8d8e8 !important;\n  border-radius: 8px !important;\n  margin-bottom: 10px !important;\n  background: #fff !important;\n  overflow: hidden !important;\n  width: 100% !important;\n}\n.cx-acc__btn {\n  width: 100% !important;\n  text-align: left !important;\n  background: #f6f5ff !important;\n  border: none !important;\n  padding: 14px 44px 14px 16px !important;\n  font-size: 18px !important;\n  font-weight: 400 !important;\n  color: #121185 !important;\n  cursor: pointer !important;\n  position: relative !important;\n  font-family: inherit !important;\n  line-height: 1.35 !important;\n  word-wrap: break-word !important;\n  overflow-wrap: break-word !important;\n  display: block !important;\n}\n.cx-acc__btn:hover { background: #ece9ff !important; }\n.cx-acc__btn::after {\n  content: \"\" !important;\n  position: absolute !important;\n  right: 18px !important;\n  top: 50% !important;\n  width: 10px !important;\n  height: 10px !important;\n  border-right: 2px solid #121185 !important;\n  border-bottom: 2px solid #121185 !important;\n  transform: translateY(-70%) rotate(45deg) !important;\n  transition: transform 0.25s ease !important;\n}\n.cx-acc__item.is-open .cx-acc__btn { background: #ece9ff !important; }\n.cx-acc__item.is-open .cx-acc__btn::after {\n  transform: translateY(-30%) rotate(-135deg) !important;\n}\n.cx-acc__panel {\n  max-height: 0 !important;\n  overflow: hidden !important;\n  transition: max-height 0.35s ease !important;\n}\n.cx-acc__panel-inner { padding: 16px 16px 4px !important; }\n.cx-incident .cx-acc__item.is-open > .cx-acc__panel {\n  max-height: 99999px !important;\n  overflow: visible !important;\n}\n<p>\/* ---------- IOC \/ data tables (scroll horizontally if needed) ---------- *\/\n.cx-data-table-wrap {\n  overflow-x: auto !important;\n  -webkit-overflow-scrolling: touch !important;\n  margin: 12px 0 18px !important;\n  width: 100% !important;\n  max-width: 100% !important;\n}\n.cx-data-table {\n  border-collapse: collapse !important;\n  font-size: 13px !important;\n  min-width: 100% !important;\n}\n.cx-data-table th,\n.cx-data-table td {\n  border: 1px solid #ccc !important;\n  padding: 8px 10px !important;\n  vertical-align: top !important;\n  text-align: left !important;\n  word-break: break-all !important;\n  overflow-wrap: anywhere !important;\n}\n.cx-data-table th {\n  background: #121185 !important;\n  color: #fff !important;\n  font-weight: 600 !important;\n  white-space: nowrap !important;\n}\n.cx-data-table .cx-label {\n  font-weight: 600 !important;\n  background: #f6f5ff !important;\n  white-space: nowrap !important;\n  width: 110px !important;\n}\n<p>\/* ---------- \"FROM MARCH 23\" banner ---------- *\/\n.cx-banner {\n  background: #f4d6d4 !important;\n  padding: 12px 14px !important;\n  font-weight: 600 !important;\n  margin: 16px 0 !important;\n  border-radius: 6px !important;\n  font-size: 14px !important;\n}\n<p>\/* ---------- April 27 event timeline visual ---------- *\/\n.cx-evtable {\n  width: 100% !important;\n  border-collapse: collapse !important;\n  margin: 8px 0 16px !important;\n  font-size: 13px !important;\n  table-layout: fixed !important;\n}\n.cx-evtable td {\n  padding: 10px 8px !important;\n  vertical-align: top !important;\n  border-bottom: 1px solid #eee !important;\n  word-wrap: break-word !important;\n  overflow-wrap: break-word !important;\n}\n.cx-evtable .cx-bar { width: 4px !important; padding: 0 !important; }\n.cx-evtable .cx-bar-breach { background: #c0392b !important; }\n.cx-evtable .cx-bar-persistence { background: #d4a017 !important; }\n.cx-evtable .cx-bar-disclosure { background: #1f6feb !important; }\n.cx-evtable .cx-month {\n  background: #f2f2f2 !important;\n  text-align: center !important;\n  font-weight: 600 !important;\n  font-size: 11px !important;\n  letter-spacing: 0.08em !important;\n}\n.cx-evtable .cx-date {\n  width: 60px !important;\n  font-weight: 600 !important;\n  white-space: nowrap !important;\n  font-size: 12px !important;\n}\n.cx-evtable .cx-tag {\n  width: 90px !important;\n  font-weight: 600 !important;\n  font-size: 10px !important;\n  letter-spacing: 0.08em !important;\n}\n.cx-evtable .cx-tag-breach { color: #c0392b !important; }\n.cx-evtable .cx-tag-persistence { color: #d4a017 !important; }\n.cx-evtable .cx-tag-disclosure { color: #1f6feb !important; }\n.cx-legend {\n  font-size: 12px !important;\n  margin: 10px 0 18px !important;\n}\n.cx-legend span {\n  display: inline-block !important;\n  margin-right: 14px !important;\n}\n.cx-legend .cx-sq {\n  display: inline-block !important;\n  width: 11px !important;\n  height: 11px !important;\n  vertical-align: middle !important;\n  margin-right: 5px !important;\n}\n<p>\/* ============================================================\n   DESKTOP (\u2265768px) \u2014 bumped sizes\n   ============================================================ *\/\n@media (min-width: 768px) {\n  .cx-incident p,\n  .cx-incident li {\n    font-size: 17px !important;\n  }\n  .cx-incident h2.cx-section-title {\n    font-size: 32px !important;\n    margin: 40px 0 18px !important;\n  }\n  .cx-incident h3 { font-size: 20px !important; }\n  .cx-incident h4 { font-size: 17px !important; }\n<p>  .cx-timeline-table td { font-size: 15px !important; }\n  .cx-timeline-table thead th { font-size: 14px !important; }\n<p>  .cx-acc__btn {\n    font-size: 20px !important;\n    padding: 16px 48px 16px 18px !important;\n  }\n  .cx-acc__btn::after { right: 20px !important; width: 12px !important; height: 12px !important; }\n  .cx-acc__panel-inner { padding: 18px 20px 8px !important; }\n<p>  .cx-data-table { font-size: 14px !important; }\n<p>  .cx-evtable .cx-date { width: 80px !important; font-size: 13px !important; }\n  .cx-evtable .cx-tag { width: 110px !important; font-size: 11px !important; }\n}\n<p>\/* ============================================================\n   MOBILE (<560px) \u2014 stack timeline table into cards\n   ============================================================ *\/\n@media (max-width: 559px) {\n  \/* Stack timeline as cards *\/\n  .cx-timeline-table {\n    border: 0 !important;\n    display: block !important;\n    table-layout: auto !important;\n  }\n  .cx-timeline-table thead { display: none !important; }\n  .cx-timeline-table tbody { display: block !important; width: 100% !important; }\n  .cx-timeline-table tbody tr {\n    display: block !important;\n    width: 100% !important;\n    border: 1px solid #d8d8e8 !important;\n    border-radius: 8px !important;\n    margin-bottom: 12px !important;\n    padding: 6px 0 !important;\n    background: #fff !important;\n  }\n  .cx-timeline-table tbody tr:nth-child(even) { background: #f6f5ff !important; }\n  .cx-timeline-table td {\n    display: block !important;\n    width: 100% !important;\n    border: 0 !important;\n    padding: 6px 14px !important;\n    white-space: normal !important;\n    font-size: 14px !important;\n  }\n  .cx-timeline-table td:first-child {\n    font-size: 12px !important;\n    text-transform: uppercase !important;\n    letter-spacing: 0.06em !important;\n    padding-bottom: 2px !important;\n  }\n  .cx-timeline-table td:nth-child(2) {\n    font-size: 15px !important;\n    font-weight: 600 !important;\n    padding-top: 0 !important;\n    padding-bottom: 4px !important;\n    color: #121185 !important;\n  }\n  .cx-timeline-table td:nth-child(3) { padding-top: 2px !important; }\n  .cx-timeline-table td:nth-child(4) {\n    border-top: 1px dashed #d8d8e8 !important;\n    margin-top: 6px !important;\n    padding-top: 10px !important;\n    font-size: 12px !important;\n    color: #121185 !important;\n    font-weight: 600 !important;\n  }\n\n  \/* Tighter accordion on small phones *\/\n  .cx-acc__btn {\n    font-size: 15px !important;\n    padding: 13px 38px 13px 14px !important;\n  }\n  .cx-acc__panel-inner { padding: 14px 14px 4px !important; }\n\n  \/* Event timeline (Apr 27 visual) stacks *\/\n  .cx-evtable,\n  .cx-evtable tbody,\n  .cx-evtable tr,\n  .cx-evtable td {\n    display: block !important;\n    width: 100% !important;\n  }\n  .cx-evtable .cx-bar { display: none !important; }\n  .cx-evtable tr {\n    border-left: 4px solid #ccc !important;\n    padding: 8px 0 !important;\n    margin-bottom: 8px !important;\n    border-bottom: 0 !important;\n  }\n  .cx-evtable .cx-month {\n    border-left: 0 !important;\n    padding: 6px !important;\n    margin-bottom: 8px !important;\n  }\n  .cx-evtable .cx-date,\n  .cx-evtable .cx-tag {\n    width: auto !important;\n    display: inline-block !important;\n    padding: 2px 12px !important;\n  }\n  .cx-evtable .cx-tag { padding-top: 0 !important; }\n}\n<\/style>\n\n\n\n\n<div class=\"cx-incident\">\n<p>  <!-- ============================================================\n       INTRO\n       ============================================================ --><\/p>\n<p><strong>Supply Chain Security Incident Summary<\/strong><br>\n  <strong>Updated May 22, 2026<\/strong><\/p>\n<p>The following is designed to provide an incident summary and central location for updates that have previously been provided.<\/p>\n<p>  <!-- ============================================================\n       SITUATION OVERVIEW\n       ============================================================ --><\/p>\n<h2 class=\"cx-section-title article-anchor\" id=\"situation-overview\">Situation Overview<\/h2>\n<p>Checkmarx experienced a cybersecurity supply chain incident affecting certain developer artifacts distributed through third-party channels.<\/p>\n<p>Beginning on March 23, 2026, attackers gained unauthorized access to Checkmarx&rsquo;s GitHub repositories, likely through a third-party supply chain attack that affected the broader cybersecurity community. This access enabled the publication of malicious code to a number of externally distributed artifacts, including VS Code extensions, GitHub Actions workflows, and a Jenkins plugin. In addition, a cybercriminal group published data to the dark web that our investigation indicates originated from Checkmarx&rsquo;s GitHub repositories.<\/p>\n<p>Our investigation, conducted with the support of external forensic specialists including Mandiant, is in its final stages.<\/p>\n<p>  <!-- ============================================================\n       TIMELINE (clickable rows -> auto-expand accordion below)\n       ============================================================ --><\/p>\n<h2 class=\"cx-section-title article-anchor\" id=\"timeline\">Timeline<\/h2>\n<p>Following is a timeline of events and updates.<\/p>\n<div class=\"cx-timeline-wrap\">\n<table class=\"cx-timeline-table\" role=\"grid\">\n<thead>\n<tr>\n<th scope=\"col\">Date<\/th>\n<th scope=\"col\">Title<\/th>\n<th scope=\"col\">Description<\/th>\n<th scope=\"col\">Update<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr tabindex=\"0\" data-target=\"acc-may9\" onclick=\"(function(){['acc-may22','acc-may9'].forEach(function(t){var i=document.getElementById(t);if(!i)return;i.classList.add('is-open');var b=i.querySelector('.cx-acc__btn');if(b)b.setAttribute('aria-expanded','true');});var first=document.getElementById('acc-may22');setTimeout(function(){var r=first.getBoundingClientRect();window.scrollTo({top:r.top+(window.pageYOffset||document.documentElement.scrollTop)-100,behavior:'smooth'});},50);})()\" onkeydown=\"if(event.key==='Enter'||event.key===' '){event.preventDefault();this.click();}\">\n<td>9-May-2026<\/td>\n<td>Jenkins Plugin Compromise<\/td>\n<td>External service account modified Jenkins AST plugin and published to Jenkins Marketplace<\/td>\n<td class=\"cx-link-col\">Incident Update: Friday, May 22, 2026<br>Incident Update: Saturday, May 9, 2026<\/td>\n<\/tr>\n<tr tabindex=\"0\" data-target=\"acc-apr27\" onclick=\"(function(){['acc-apr27','acc-apr26'].forEach(function(t){var i=document.getElementById(t);if(!i)return;i.classList.add('is-open');var b=i.querySelector('.cx-acc__btn');if(b)b.setAttribute('aria-expanded','true');});var first=document.getElementById('acc-apr27');setTimeout(function(){var r=first.getBoundingClientRect();window.scrollTo({top:r.top+(window.pageYOffset||document.documentElement.scrollTop)-100,behavior:'smooth'});},50);})()\" onkeydown=\"if(event.key==='Enter'||event.key===' '){event.preventDefault();this.click();}\">\n<td>25-Apr-2026<\/td>\n<td>Dark Web Leak<\/td>\n<td>Data exfiltrated from Checkmarx GitHub repos March 30 using compromised credentials from March wave; cyber-criminals published to dark web April 25<\/td>\n<td class=\"cx-link-col\">Incident Update: Monday, April 27, 2026<br>Incident Update: Sunday, April 26, 2026<\/td>\n<\/tr>\n<tr tabindex=\"0\" data-target=\"acc-apr22\" onclick=\"(function(t){var i=document.getElementById(t);if(!i)return;i.classList.add('is-open');var b=i.querySelector('.cx-acc__btn');if(b)b.setAttribute('aria-expanded','true');setTimeout(function(){var r=i.getBoundingClientRect();window.scrollTo({top:r.top+(window.pageYOffset||document.documentElement.scrollTop)-100,behavior:'smooth'});},50);})('acc-apr22')\" onkeydown=\"if(event.key==='Enter'||event.key===' '){event.preventDefault();this.click();}\">\n<td>22-Apr-2026<\/td>\n<td>Second Wave Artifacts<\/td>\n<td>Cached credentials enable publication of malicious KICS Docker image, updated VSCode &amp; DevAssist extensions, and GitHub Action<\/td>\n<td class=\"cx-link-col\">Incident Update: Wednesday, April 22, 2026<\/td>\n<\/tr>\n<tr tabindex=\"0\" data-target=\"acc-mar23\" onclick=\"(function(t){var i=document.getElementById(t);if(!i)return;i.classList.add('is-open');var b=i.querySelector('.cx-acc__btn');if(b)b.setAttribute('aria-expanded','true');setTimeout(function(){var r=i.getBoundingClientRect();window.scrollTo({top:r.top+(window.pageYOffset||document.documentElement.scrollTop)-100,behavior:'smooth'});},50);})('acc-mar23')\" onkeydown=\"if(event.key==='Enter'||event.key===' '){event.preventDefault();this.click();}\">\n<td>23-Mar-2026<\/td>\n<td>Supply Chain Entry<\/td>\n<td>Team PCP compromises Trivy; stolen credentials used to publish malicious GitHub Actions &amp; VSCode extensions to OpenVSX<\/td>\n<td class=\"cx-link-col\">Incident Update: Monday, March 23, 2026<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>  <!-- ============================================================\n       ACTIONS TAKEN\n       ============================================================ --><\/p>\n<h2 class=\"cx-section-title article-anchor\" id=\"actions-taken\">Actions Taken<\/h2>\n<p>Since the first day of the incident, Checkmarx has been conducting active investigation, and remediation efforts. Key actions taken to date include:<\/p>\n<ul>\n<li>Removed malicious artifacts and published clean, verified replacements across all affected channels<\/li>\n<li>Rotated and revoked exposed credentials, with validation and follow-up rotation continuing as the investigation progresses<\/li>\n<li>Blocked outbound access to attacker-controlled infrastructure<\/li>\n<li>Implementing additional security controls, tools, and access restrictions within our development environment<\/li>\n<li>Locked down access to affected GitHub repositories while the investigation continues<\/li>\n<li>Engaged law enforcement and notified relevant authorities<\/li>\n<li>Retained Mandiant, an elite incident response and digital forensics firm, to bolster our investigation<\/li>\n<li>Conducting a code audit to verify no further malicious code is present beyond findings already identified<\/li>\n<li>Reviewing our environments for any indications of further compromise<\/li>\n<\/ul>\n<p>We are now in the final stages of our investigation. We will provide further updates as our investigation progresses.<\/p>\n<p>  <!-- ============================================================\n       INCIDENT UPDATES (ACCORDION)\n       ============================================================ --><\/p>\n<h2 class=\"cx-section-title article-anchor\" id=\"incident-updates\">Incident Updates<\/h2>\n<div class=\"cx-acc\" id=\"cx-incident-acc\">\n<p>    <!-- ===== MAY 22, 2026 ===== --><\/p>\n<div class=\"cx-acc__item\" id=\"acc-may22\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Incident Update: Friday, May 22, 2026<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>Over the past week and while our investigation is continuing, we held a series of conversations and calls with our customers so they could hear directly from us about the progress we are making in our response to the supply chain incident. We hope that these sessions were helpful in better understanding what has happened and what actions Checkmarx is taking in response.<\/p>\n<p>We are sharing below the FAQs from these conversations. If you have further questions, please continue to direct these to your Checkmarx account team.<\/p>\n<h3>Frequently Asked Questions<\/h3>\n<h4>What is the status of the investigation?<\/h4>\n<p>While we are continuing to investigate, we want to reiterate two key points from our investigation so far:<\/p>\n<ul>\n<li>The incident occurred within our GitHub environment. To date, our investigation has not identified impact beyond the Checkmarx GitHub environment and a limited number of infected workstations. As an added precautionary measure in the meantime, we proactively disconnected our release pipeline from production during the initial stages of our response.<\/li>\n<li>The malicious artifacts did not override previously published, known safe versions. Customers using versions or SHAs published prior to the affected timeframes (see below) are not affected by the artifact compromises themselves. A full list of affected artifacts, malicious tags and SHAs, is available in the updates here below and in the Customer Support Portal.<\/li>\n<\/ul>\n<p>We have retained Mandiant, an elite incident response, digital forensics, and threat intelligence firm to confirm and further support our investigation, security hardening, and threat hunting efforts and to ensure no residual access remains. We will provide further updates as our investigation progresses.<\/p>\n<h4>What measures are being taken to prevent this from happening again?<\/h4>\n<p>We are undertaking, in partnership with Mandiant, a thorough investigation and implementing a robust set of containment measures and forward-looking controls to protect Checkmarx and our customers. To date, we have revoked all publishing permissions, revoked all classic GitHub personal access tokens, moved to OIDC authentication across the SDLC, and deployed additional monitoring and forensic tooling.<\/p>\n<p>We are continuing to work alongside Mandiant to conduct a structured verification phase to confirm the scope of the incident and that no residual access paths remain.<\/p>\n<h4>What steps should customers take to protect themselves?<\/h4>\n<p>We recommend that our customers follow these best practices:<\/p>\n<ul>\n<li>Pin to specific SHAs rather than mutable tags (latest, debian, alpine)<\/li>\n<li>Disable auto-update on IDE extensions<\/li>\n<li>Scan images at pull time and validate signatures<\/li>\n<li>Restrict egress from CI runners to an allowlist; monitor outbound connections for unexpected domains<\/li>\n<li>Treat CI runner credentials as short-lived and tightly scoped.<\/li>\n<\/ul>\n<p>In addition, a full list of recommended actions for our customers can be found in the incident updates below.<\/p>\n<h4>Was the May 9 Jenkins AST plugin activity part of the original incident?<\/h4>\n<p>Our assessment based on currently available evidence is that the threat actor was able to leverage access, obtained as part of the March incident, to later publish the modified version of the Jenkins plugin on May 9. This plugin has now been removed and clean replacement versions have been published (2.0.13-848.v76e89de8a_053 and 2.0.13-847.v08c0072b_2fd5).<\/p>\n<p>The malicious payload associated with the modified plug-in targets lists of file paths for common applications, each tailored to a specific operating system (WIN, LINUX, OSX). After determining the OS, it traverses the corresponding file list looking for credentials. Targeted applications include crypto wallets, VPNs, AWS, and Github. We are still conducting malware analysis to understand the specific paths, but to date we have not seen any references to Jenkins.<\/p>\n<p>If you use the Jenkins AST plugin, we recommend the following actions:<\/p>\n<ul>\n<li>Ensure you are on one of those versions or on 2.0.13-829.vc72453fa_1c16 from December 17, 2025 or earlier. The malicious window was 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC. We recommend rotating all credentials that the pipeline that executed the malicious payload has access to.<\/li>\n<li>Hunt across your environment using the indicators below.<\/li>\n<\/ul>\n<h4>File Characteristics<\/h4>\n<div class=\"cx-data-table-wrap\">\n<table class=\"cx-data-table\">\n<thead>\n<tr>\n<th>File Name<\/th>\n<th>File Type<\/th>\n<th>Size (bytes)<\/th>\n<th>MD5<\/th>\n<th>SHA256<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cli.js<\/td>\n<td>TXT<\/td>\n<td>488,465<\/td>\n<td>9f9f83795fc162b7e44bc6859fc80535<\/td>\n<td>08352b4c37808a25895cda1cae27ec8a83cf7ee9de15e2d4dd9560a2906730f4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h4>Network-based Indicators<\/h4>\n<p><strong>Connections<\/strong><\/p>\n<ul>\n<li>hxxps[:]\/\/api[.]github[.]com:443\/user<\/li>\n<li>hxxps[:]\/\/registry[.]npmjs[.]org:443\/-\/whoami<\/li>\n<\/ul>\n<p><strong>HTTP Headers<\/strong><\/p>\n<ul>\n<li>User-Agent: node<\/li>\n<li>Accept: application\/vnd.github+json<\/li>\n<\/ul>\n<h4>Has any customer data been affected as part of this incident?<\/h4>\n<p>Based on currently available evidence, we believe that the data the threat actor published to the dark web originated from Checkmarx&rsquo;s GitHub repository. As standard practice, we do not store customer data in our GitHub repository. The investigation into the nature and scope of any impacted data remains ongoing. We will notify customers individually if any personal or sensitive data relating to them was affected.<\/p>\n<h4>Will you share a written incident summary with customers?<\/h4>\n<p>We will share a post-incident summary covering findings, remediation, and forward-looking controls with customers upon request.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>    <!-- ===== MAY 9, 2026 ===== --><\/p>\n<div class=\"cx-acc__item\" id=\"acc-may9\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Incident Update: Saturday, May 9, 2026<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace. We are in the process of publishing a new version of this plug-in.<\/p>\n<p>If you are using Checkmarx Jenkins AST Plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on Dec. 17, 2025 or previously.<\/p>\n<p>We will continue to share updates as we have them available.<\/p>\n<p><strong>Checkmarx Jenkins AST Plugin IOCs (malicious artifacts)<\/strong><\/p>\n<div class=\"cx-data-table-wrap\">\n<table class=\"cx-data-table\">\n<tbody>\n<tr>\n<td class=\"cx-label\">Marketplace<\/td>\n<td><a href=\"https:\/\/plugins.jenkins.io\/checkmarx-ast-scanner\/\">Checkmarx AST Scanner (plugins.jenkins.io)<\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">Version<\/td>\n<td>2026.5.09<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">File<\/td>\n<td>checkmarx-ast-scanner-2026.5.09.hpi<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">SHA256<\/td>\n<td>01ff1e56fd59a8fa525d97e670f7f297a1a204331b89b2cd4e36a9abc6419203<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">File<\/td>\n<td>checkmarx-ast-scanner-2026.5.09.jar<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">SHA256<\/td>\n<td>f50a96d26a5b0beb29de4127e82b2bf350c21511e5a43d286e43f798dc6cd53f<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">File<\/td>\n<td>checkmarx-ast-scanner-2026.5.09.pom<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">SHA256<\/td>\n<td>3ddb8967919a801b3c383e58cddceab21138134c6a26560d99e2672e86f36f2a<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-label\">Window<\/td>\n<td>2026-05-09 01:25:00 UTC to 2026-05-10 08:47:00 UTC<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h3>Latest SHAs:<\/h3>\n<p>\n            2.0.13-848.v76e89de8a_053<br>\n            Released: May 9, 2026<br>\n            SHA-1: 65e4fbfbfb66dfd4a6e2e521e879cfa1b5745282<br>\n            SHA-256: db7e0a5eb292810fb9d68224596dd3fa887d094f37021073fb5b5b2a232bcd23<br>\n            Requires Jenkins 2.452.4\n          <\/p>\n<p>\n            2.0.13-847.v08c0072b_2fd5<br>\n            Released: May 9, 2026<br>\n            SHA-1: f430ce10bf8bb66ab133a257ab4063b8055d23de<br>\n            SHA-256: 894c1a245f30ffe168f4dfda48f36ba5c1bc9da7d0f093a8095d8aed92d0fcd8<br>\n            Requires Jenkins 2.452.4\n          <\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>    <!-- ===== APRIL 27, 2026 (includes Apr 26 content per timeline mapping) ===== --><\/p>\n<div class=\"cx-acc__item\" id=\"acc-apr27\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Incident Update: Monday, April 27, 2026<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<h3>What happened?<\/h3>\n<p>On March 23, 2026, Checkmarx identified a cybersecurity incident originating from the Trivy Supply Chain Attack. The cybersecurity community previously reported on March 19 that the TeamPCP attack affecting the Trivy scanner could potentially be used to harvest credentials from downstream users.<\/p>\n<p>While we are still investigating the incident, we believe this is the likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories. As a result of that access, the attackers were able to interact with Checkmarx&rsquo;s GitHub environment and subsequently publish malicious code to certain artifacts.<\/p>\n<p>As part of our investigation into the incident, we identified that exfiltration of data took place on March 30, 2026. A cybercriminal group subsequently published data related to Checkmarx to the dark web on April 25. Current evidence indicates that this data originated from Checkmarx&rsquo;s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2026.<\/p>\n<p><strong>Importantly, Checkmarx&rsquo;s GitHub repositories are maintained separately from our customer production environment. As standard practice, we do not store customer data in our GitHub repository.<\/strong><\/p>\n<h3>Incident Timeline<\/h3>\n<div class=\"cx-banner\">\u25cf FROM MARCH 23 \u2014 DAY ONE ONWARDS<br>\n            <span style=\"font-weight:400;display:block;margin-top:6px;\">Checkmarx has been conducting active containment, investigation, remediation and communication efforts continuously from the first day of the incident.<\/span>\n          <\/div>\n<div class=\"cx-data-table-wrap\">\n<table class=\"cx-evtable\">\n<tbody>\n<tr class=\"cx-month\">\n<td colspan=\"4\">\u2014 MARCH \u2014<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-bar cx-bar-breach\"><\/td>\n<td class=\"cx-date\">Mar 23<\/td>\n<td class=\"cx-tag cx-tag-breach\">EVENT<\/td>\n<td>\n                    <strong>Compromised artifacts published<\/strong><br>\n                    Malicious Checkmarx artifacts are published. Attacker pushes malicious code directly into the Checkmarx GitHub repository.\n<p>                    Containment, investigation, remediation and communication efforts commenced immediately, and remain ongoing.\n                  <\/p>\n<\/td>\n<\/tr>\n<tr class=\"cx-month\">\n<td colspan=\"4\">\u2014 APRIL \u2014<\/td>\n<\/tr>\n<tr>\n<td class=\"cx-bar cx-bar-persistence\"><\/td>\n<td class=\"cx-date\">Apr 22<\/td>\n<td class=\"cx-tag cx-tag-persistence\">PERSISTENCE<\/td>\n<td>\n                    <strong>Compromised artifacts published<\/strong><br>\n                    A second wave of malicious Checkmarx artifacts are published, indicating continued or renewed attacker access.\n                  <\/td>\n<\/tr>\n<tr>\n<td class=\"cx-bar cx-bar-disclosure\"><\/td>\n<td class=\"cx-date\">Apr 25<\/td>\n<td class=\"cx-tag cx-tag-disclosure\">DISCLOSURE<\/td>\n<td>\n                    <strong>LAPSUS$ publishes stolen data<\/strong><br>\n                    LAPSUS$ publicly releases data stamped March 30, nearly one month after the suspected exfiltration of data from the Checkmarx GitHub repository by the attacker.\n                  <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div class=\"cx-legend\">\n            <span><span class=\"cx-sq\" style=\"background:#c0392b;\"><\/span>Breach \/ Exfiltration<\/span><br>\n            <span><span class=\"cx-sq\" style=\"background:#d4a017;\"><\/span>Persistence<\/span><br>\n            <span><span class=\"cx-sq\" style=\"background:#1f6feb;\"><\/span>Disclosure<\/span>\n          <\/div>\n<h3>Actions we have taken<\/h3>\n<p>Upon identification of the incident, Checkmarx commenced a formal investigation and engaged external forensic specialists to support that work.<\/p>\n<p>Initial steps Checkmarx took to contain and remediate the incident included:<\/p>\n<ul>\n<li>Removed unauthorized code and published clean artifacts<\/li>\n<li>Implemented additional safeguards within our development and distribution workflows<\/li>\n<li>Rotated credentials identified as potentially exposed, with validation and follow-up rotation continuing as the investigation progressed<\/li>\n<li>Reviewed our environments for indications of further compromise<\/li>\n<\/ul>\n<p>Following evidence of further malicious artifacts we took additional steps to strengthen our security posture:<\/p>\n<ul>\n<li>Engaged law enforcement to make them aware of the incident<\/li>\n<li>Retained Mandiant, an elite incident response, digital forensics, and threat intelligence firm to bolster our investigation efforts<\/li>\n<li>Conducted a wider rotation of credentials across the environment<\/li>\n<li>Implemented additional security controls, tools, and access restrictions within our development environment<\/li>\n<li>Performed additional reviews of access pathways and integrations<\/li>\n<li>We have locked down access to the affected GitHub repositories while the investigation continues<\/li>\n<li>A code audit is also currently underway to verify that no further malicious code is present beyond the findings already identified<\/li>\n<\/ul>\n<p>We are now in the final stages of our investigation and confirming that the unauthorised access has been fully contained. We will share further on this as soon as we are able.<\/p>\n<h3>Additional Information<\/h3>\n<p>We have communicated with our customers throughout this process and will continue to provide relevant updates as more information becomes available. Further information, including recommended steps customers can take, is available on our Support Portal or in our Security Updates.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>    <!-- ===== APRIL 26, 2026 ===== --><\/p>\n<div class=\"cx-acc__item\" id=\"acc-apr26\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Incident Update: Sunday, April 26, 2026<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<h3>New Development: GitHub Repository<\/h3>\n<p>We are writing to inform you of a new development in the ongoing Checkmarx supply chain security incident.<\/p>\n<p>Our investigation, conducted with support from a leading third-party forensic firm, indicates that a cybercriminal group has published data related to Checkmarx to the dark web. Based on current evidence, we believe this data originated from Checkmarx&rsquo;s GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026.<\/p>\n<p><strong>Checkmarx&rsquo;s GitHub repository is maintained separately from our customer production environment. As standard practice, we do not store customer data in our GitHub repository.<\/strong> Our forensic investigation is ongoing and we are actively working to verify the nature and scope of the posted data.<\/p>\n<p>As part of our immediate response, we have locked down access to the affected GitHub repository while the investigation continues.<\/p>\n<p>If we determine that customer information was involved in this incident, we will notify customers and all relevant parties immediately.<\/p>\n<p>We expect to share a more detailed update within 24 hours.<\/p>\n<h3>Questions and Support<\/h3>\n<p>If you have questions about this incident or need assistance assessing your environment, please open a case via the <a href=\"http:\/\/support.checkmarx.com\/\" target=\"_blank\" rel=\"noopener\">Support Portal<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>    <!-- ===== APRIL 22, 2026 ===== --><\/p>\n<div class=\"cx-acc__item\" id=\"acc-apr22\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Incident Update: Wednesday, April 22, 2026<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<h3>What Happened<\/h3>\n<p>On April 22, we communicated with customers about a new development in the supply chain security incident that our team is actively investigating and addressing. We deeply value the trust you place in Checkmarx and are committed to keeping our customers informed as we continue to respond.<\/p>\n<p>As part of our immediate response, we retained outside experts and are working around the clock to get to the bottom of this as quickly as possible. In the interim, we are sharing key findings to-date and recommended actions for our customers to take.<\/p>\n<h3>Key Findings<\/h3>\n<p>Notably, our investigation thus far indicates that the malicious artifacts did <strong>not<\/strong> override previously published, known safe versions. Customers using versions or SHAs published prior to the affected timeframes are <strong>not affected.<\/strong><\/p>\n<h3>Affected Artifacts<\/h3>\n<p>The following artifacts have been identified as potentially affected:<\/p>\n<ol>\n<li>\n<strong>Checkmarx public DockerHub KICS image<\/strong> &mdash; <a href=\"https:\/\/hub.docker.com\/r\/checkmarx\/kics\">https:\/\/hub.docker.com\/r\/checkmarx\/kics<\/a>\n<ol>\n<li>Malicious tags: v2.1.20-debian, v2.1.21-debian, debian, v2.1.21, v2.1.20, alpine, v2.1.20, v2.1.21, latest<\/li>\n<li>Malicious SHAs: sha256:222e6bfed0f3b, sha256:9183908decd0f, sha256:a6871deb0480e, sha256:ff7b0f114f87c, sha256:1b01a97753780, sha256:2588a44890263, sha256:54f8a56bf1f71, sha256:d186161ae8e33, sha256:415610a42c5b5, sha256:e35bc6afc4857, sha256:a0d9366f6f016, sha256:903eef3c05f6e, sha256:26e8e9c5e53c9, sha256:7391b531a07fc, sha256:4c963fa00e585<\/li>\n<li>Timeframe: from 2026-04-22 12:31:35.883 UTC to 2026-04-22 12:59:46.562 UTC<\/li>\n<\/ol>\n<\/li>\n<li>\n<strong>Checkmarx public ast-github-action<\/strong> &mdash; <a href=\"https:\/\/github.com\/checkmarx\/ast-github-action\">https:\/\/github.com\/checkmarx\/ast-github-action<\/a>\n<ol>\n<li>Malicious tags: 2.3.35<\/li>\n<li>Timeframe: from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC<\/li>\n<\/ol>\n<\/li>\n<li>\n<strong>Checkmarx VS Code extension<\/strong>\n<ol>\n<li>Microsoft marketplace: <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=checkmarx.ast-results\">https:\/\/marketplace.visualstudio.com\/items?itemName=checkmarx.ast-results<\/a>\n<\/li>\n<li>Open VSX marketplace: <a href=\"https:\/\/open-vsx.org\/extension\/checkmarx\/ast-results\">https:\/\/open-vsx.org\/extension\/checkmarx\/ast-results<\/a>\n<\/li>\n<li>Malicious tags: 2.63, 2.66<\/li>\n<li>Timeframe &mdash; Microsoft marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 17:48:00 UTC<br>Timeframe &mdash; Open-VSX marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 21:20:00 UTC<\/li>\n<\/ol>\n<\/li>\n<li>\n<strong>Checkmarx Developer Assist extension<\/strong>\n<ol>\n<li>Microsoft marketplace: <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=checkmarx.cx-dev-assist\">https:\/\/marketplace.visualstudio.com\/items?itemName=checkmarx.cx-dev-assist<\/a>\n<\/li>\n<li>Open VSX marketplace: <a href=\"https:\/\/open-vsx.org\/extension\/checkmarx\/cx-dev-assist\">https:\/\/open-vsx.org\/extension\/checkmarx\/cx-dev-assist<\/a>\n<\/li>\n<li>Malicious tags: 1.17, 1.19<\/li>\n<li>Timeframe &mdash; Microsoft marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 17:48:00 UTC<br>Timeframe &mdash; Open-VSX marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 21:20:00 UTC<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3>Actions We&rsquo;ve Taken<\/h3>\n<p>To date, in response to this development we have:<\/p>\n<ol>\n<li>Removed the malicious artifacts;<\/li>\n<li>Revoked and rotated exposed credentials;<\/li>\n<li>Blocked outbound access to attacker-controlled infrastructure;<\/li>\n<li>Reviewed our environments for any signs of further compromise.<\/li>\n<li>Initiated a forensic investigation with the assistance of an independent, third-party forensic firm.<\/li>\n<\/ol>\n<h3>Recommended Actions<\/h3>\n<p>We recommend that our customers take the following steps as soon as possible:<\/p>\n<ol>\n<li>Block access to these domains and IP addresses:\n<ol>\n<li>checkmarx.cx =&gt; 91[.]195[.]240[.]123<\/li>\n<li>audit.checkmarx.cx =&gt; 94[.]154[.]172[.]43<\/li>\n<\/ol>\n<\/li>\n<li>Use pinned SHAs and review or disable auto-update settings in IDE marketplaces<\/li>\n<li>Rotate secrets and credentials if a compromise is suspected or detected\n<ol>\n<li>DockerHub KICS image: latest, v2.1.20, alpine, Debian<\/li>\n<li>Checkmarx ast-github-action: v2.3.36<\/li>\n<li>Checkmarx VS Code extensions: v2.67.0<\/li>\n<li>Checkmarx Developer Assist extension: v1.18.0<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<h3>Guidance for CxSAST On-Premise Customers<\/h3>\n<p>We have received questions from customers running CxSAST on-premise about whether their environments are within the scope of this incident. This communication outlines what is, and is not, in scope for your specific environment (Cx SAST on-premises and CxSAST hosted), and the limited circumstance under which you may need to take action.<\/p>\n<h3>Scope Summary<\/h3>\n<p>Based on our investigation to date, the artifacts confirmed as compromised in this incident are externally distributed components associated with Checkmarx One. They are not part of, and are not delivered with, a CxSAST on-premise installation. Specifically:<\/p>\n<ul>\n<li>\n<strong>CxSAST on-premise itself was not compromised.<\/strong> The incident affected externally distributed artifacts, not the CxSAST product or its installer.<\/li>\n<li>\n<strong>Checkmarx One (SaaS) infrastructure has not been identified as compromised.<\/strong> We mention this for completeness, as customer questions often span both deployment models.<\/li>\n<li>The compromised GitHub Actions (<code>checkmarx\/ast-github-action<\/code> and <code>checkmarx\/kics-github-action<\/code>) are used to invoke Checkmarx One scans from CI\/CD pipelines. They are not used by CxSAST on-premise customers in that role.<\/li>\n<li>The compromised VS Code extensions (<code>checkmarx.ast-results<\/code> and <code>checkmarx.cx-dev-assist<\/code>) are the Checkmarx One IDE integrations. The CxSAST on-premise IDE plugin is a separate component and was not affected.<\/li>\n<\/ul>\n<p>Although CxSAST on-premise is out of scope for the compromised artifacts, an incident of this nature warrants standard security vigilance regardless of deployment model. Below we outline the specific conditions that would require a CxSAST on-premise customer to take action as a result of this incident.<\/p>\n<h3>Action Required If Applicable<\/h3>\n<p>If your organization independently uses the open-source KICS scanner \u2014 specifically by pulling the public KICS image from Docker Hub (<a href=\"https:\/\/hub.docker.com\/r\/checkmarx\/kics\">hub.docker.com\/r\/checkmarx\/kics<\/a>) outside of any CxSAST or Checkmarx One workflow \u2014 we recommend further action if the image was pulled during the affected time window. This image is distinct from the CxSAST product and from the IaC scanning capability built into Checkmarx One.<\/p>\n<p>The compromised KICS image was present on Docker Hub during the following window:<\/p>\n<ul>\n<li>From 2026-04-22 12:31:35 UTC to 2026-04-22 12:59:46 UTC.<\/li>\n<\/ul>\n<p>If you did not pull from Docker Hub during this window, you do not need to take further action. If you did, or are uncertain, please verify the image SHA against the list of malicious SHAs in our <a href=\"https:\/\/checkmarx.com\/blog\/checkmarx-security-update-april-22\/\"><strong>public advisory<\/strong><\/a> and treat any match as a potential compromise of the host that pulled the image and take further action as appropriate.<\/p>\n<h3>Precautionary Actions for All Customers<\/h3>\n<p>For most CxSAST on-premise customers, no product-level remediation is required. As precautionary measures aligned with the broader incident, we recommend:<\/p>\n<ul>\n<li>Block outbound access at the network perimeter to: <code>checkmarx.cx<\/code> (91.195.240.123), <code>audit.checkmarx.cx<\/code> (94.154.172.43), <code>updates.checkmarx.cx<\/code> (94.154.172.183), and <code>checkmarx.zone<\/code> (associated with the March 23 round).<\/li>\n<li>If your developers use VS Code, confirm that any installed Checkmarx extensions are sourced from the official Microsoft VS Code Marketplace and are current safe versions (<code>ast-results<\/code> v2.67.0 and Developer Assist v1.18.0 or v1.20.0). Consider temporarily disabling auto-update on these extensions until the investigation is closed.<\/li>\n<li>Review CI\/CD logs and developer workstation telemetry for outbound connections to any of the domains and IPs above during the affected windows.<\/li>\n<\/ul>\n<h3>Where to Go for Help<\/h3>\n<p>For environment-specific questions, please open a Support case via the Support Portal at <a href=\"http:\/\/support.checkmarx.com\/\">support.checkmarx.com<\/a>.<\/p>\n<p>We will continue to update this page as our investigation progresses.<\/p>\n<h3>Next Steps<\/h3>\n<p>This is an ongoing investigation. Please continue to monitor the <a href=\"https:\/\/support.checkmarx.com\/CheckmarxCustomerServiceCommunity\/s\/article\/Checkmarx-Security-Incident-22-April-2026\">Checkmarx Community Incident Page<\/a> for more information.<\/p>\n<p>If you have questions about this development, please open a case via the Support Portal.<\/p>\n<p>We are grateful for your continued support and patience as we work to address this incident.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>    <!-- ===== MARCH 23, 2026 ===== --><\/p>\n<div class=\"cx-acc__item\" id=\"acc-mar23\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Incident Update: Monday, March 23, 2026<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>On March 23, 2026, Checkmarx identified a cybersecurity supply chain incident affecting certain Checkmarx-related developer artifacts distributed via third-party channels.<\/p>\n<p>This post contains a structured overview of the incident and the steps we have taken to date, as well as additional resources to support our clients and team members.<\/p>\n<h3>What Happened<\/h3>\n<p>On March 23, 2026, Checkmarx was the target of a cybersecurity supply chain incident which affected two specific plugins distributed via the OpenVSX marketplace and two of our GitHub Actions workflows.<\/p>\n<h3>OpenVSX Plugins<\/h3>\n<p>On March 23, 2026, at approximately 02:53 UTC, malicious versions of two plugins were published to the OpenVSX registry.<\/p>\n<p>Only organizations that downloaded the following artifacts from OpenVSX on 23 March, 2026 between 02:53 UTC and 15:41 UTC and ran it are potentially impacted by this incident.<\/p>\n<ul>\n<li>ast-results-2.53.0.vsix<\/li>\n<li>cx-dev-assist-1.7.0.vsix<\/li>\n<\/ul>\n<p>The affected plug-ins are no longer available and all older GitHub versions have been permanently removed.<\/p>\n<p>Plugins downloaded from the VS Code Marketplace were not affected.<\/p>\n<h3>Recommended actions<\/h3>\n<p>The following guidance is provided as a precautionary measure to support customer-led assessments and remediation, where relevant to their environments.<\/p>\n<p>If a client downloaded and ran either of the above extensions from the Open VSX registry, their organization may be affected.<\/p>\n<p>If the client organization may have been affected, we strongly recommend taking the following steps as soon as possible.<\/p>\n<p><strong>1. Remove Malicious Components<\/strong><\/p>\n<ul>\n<li>Uninstall the following VSIX extensions from all environments:\n<ul>\n<li>checkmarx.ast-results-2.53.0.vsix<\/li>\n<li>checkmarx.cx-dev-assist-1.7.0.vsix<\/li>\n<\/ul>\n<\/li>\n<li>use ast-github-action &ndash; v2.3.33 only<\/li>\n<li>use kics-github-action &ndash; v2.1.20 only<\/li>\n<li>Ensure they are removed from:\n<ul>\n<li>All developer machines<\/li>\n<li>All VSCode profiles and environments<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>2. Revoke and Rotate Credentials<\/strong><\/p>\n<h3>GitHub Actions<\/h3>\n<p>An issue was also identified in KICS and AST GitHub Action on March 23, 2026. The attacker injected malicious payloads into the following GitHub Actions workflows which were available between 12:58 and 16:50 UTC:<\/p>\n<ul>\n<li>checkmarx\/ast-github-action<\/li>\n<li>checkmarx\/kics-github-action<\/li>\n<\/ul>\n<p>Maintainers revoked the affected tags, securing access, and preventing unauthorized changes.<\/p>\n<p>All GitHub Actions have been updated to the following latest verified releases, and all older versions have been permanently deleted from the organization&rsquo;s repositories:<\/p>\n<ul>\n<li>ast-github-action &mdash; v2.3.33 (released March 23, 2026)<\/li>\n<li>kics-github-action &mdash; v2.1.20 (released March 23, 2026)<\/li>\n<\/ul>\n<p>Both versions are the only ones available in our repos. All pipelines must reference these versions exclusively or newer.<\/p>\n<h3>Recommended actions<\/h3>\n<p>If you downloaded the malicious versions of either plugin (ast-results-2.53.0.vsix or cx-dev-assist-1.7.0.vsix) from OpenVSX during the affected period, we strongly recommend following these precautionary steps:<\/p>\n<ul>\n<li>Revoke and rotate all secrets and credentials accessible to CI runners during the affected period, including GitHub Personal Access Tokens (PATs), cloud service credentials, and repository or organization-level secrets.<\/li>\n<li>Review GitHub Actions runs, search for suspicious indicators such as references to tpcp.tar.gz, aquasecurity, or checkmarx.zone, and check for unexpected repositories like tpcp-docs. In case you spot any occurrences of these, please remove them or contact the Checkmarx Support for guidance.<\/li>\n<li>Revoke access to the following tokens, and issue new ones:\n<ul>\n<li>GitHub credentials<\/li>\n<li>Microsoft Azure access<\/li>\n<li>Google Cloud (GCP) access<\/li>\n<li>AWS access<\/li>\n<li>Kubernetes service account tokens and kubeconfigs<\/li>\n<li>SSH keys<\/li>\n<li>Docker registry credentials<\/li>\n<\/ul>\n<\/li>\n<li>Block Malicious Infrastructure by restricting access to checkmarx[.]zone and review historical network traffic for any communication with this domain<\/li>\n<li>Review logs and systems for GitHub activity such as unexpected API usage, suspicious repositories or artifacts such as docs-tpcp and\/or tpcp.tar.gz, unauthorized releases or CI-triggered changes<\/li>\n<li>For any revoked token, key or credentials from previous stages:\n<ul>\n<li>Review related activity within exposure time frame, to validate no lateral movement took place<\/li>\n<li>Monitor for any future attempts to use these credentials to identify ongoing attempts to attack infrastructure<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Containment &amp; Remediation<\/h3>\n<p>Upon identification of the issue, we took immediate steps to contain and remediate the incident. We removed the unauthorized code, pinned our workflows to safe verified commit SHAs, revoked and rotated relevant credentials, blocked outbound access to the attacker-controlled domain, and reviewed our environments for any signs of further compromise.<\/p>\n<h3>Investigation Status<\/h3>\n<p>We have commenced a formal investigation and engaged external forensic specialists to support that work. This investigation is ongoing and includes investigating the behaviour and objectives of the malicious code.<\/p>\n<p>Available information indicates that the primary functionality of the code was focused on the attempted collection and exfiltration of credentials and secrets from affected environments, without evidence to date that such data was successfully exfiltrated from any customer environment.<\/p>\n<p>Based on the investigation to date, and subject to the evidential limitations described below, we recommend continued vigilance and that you notify us promptly if you become aware of any suspicious activity.<\/p>\n<p>While the investigation is ongoing, to date, we do not have evidence indicating that the incident resulted in unauthorised access to customer data or systems, that data held by Checkmarx has been accessed, nor can we yet confirm that any particular customer environment was compromised.<\/p>\n<p>It is important to note that because the affected artefacts execute within customer-controlled environments, confirmation of whether a particular customer was impacted depends on an assessment of those environments, rather than on telemetry held by Checkmarx. Those CI\/CD pipelines and developer workstations are customer-controlled environments, and Checkmarx does not have independent visibility into their execution or logs.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>  <!-- ============================================================\n       OUR COMMITMENT TO YOU\n       ============================================================ --><\/p>\n<h2 class=\"cx-section-title article-anchor\" id=\"commitment\">Our Commitment to You<\/h2>\n<p>Protecting the security and privacy of our clients and team members is a responsibility we hold to the highest standard. The investigation into the nature and scope of any impacted data remains ongoing. We will notify customers individually if any personal or sensitive data relating to them was affected.<\/p>\n<p>If you have questions or need assistance assessing your environment, please reach out to our security team at <a href=\"mailto:infosec@checkmarx.com\">infosec@checkmarx.com<\/a> or open a case via the <a href=\"http:\/\/support.checkmarx.com\/\" target=\"_blank\" rel=\"noopener\">Support Portal<\/a>. Detailed assessment and remediation guidance, including indicators of compromise and recommended next steps, is also available on the Support Portal.<\/p>\n<p>  <!-- ============================================================\n       FREQUENTLY ASKED QUESTIONS (MERGED ACCORDION)\n       ============================================================ --><\/p>\n<h2 class=\"cx-section-title article-anchor\" id=\"faqs\">Frequently Asked Questions<\/h2>\n<div class=\"cx-acc\" id=\"cx-faq-acc\">\n<p>    <!-- ===== NEW (MAY 22) FAQs FIRST ===== --><\/p>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">What is the status of the investigation?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>While we are continuing to investigate, we want to reiterate two key points from our investigation so far:<\/p>\n<ul>\n<li>The incident occurred within our GitHub environment. To date, our investigation has not identified impact beyond the Checkmarx GitHub environment and a limited number of infected workstations. As an added precautionary measure in the meantime, we proactively disconnected our release pipeline from production during the initial stages of our response.<\/li>\n<li>The malicious artifacts did not override previously published, known safe versions. Customers using versions or SHAs published prior to the affected timeframes (see below) are not affected by the artifact compromises themselves. A full list of affected artifacts, malicious tags and SHAs, is available in the updates here below and in the Customer Support Portal.<\/li>\n<\/ul>\n<p>We have retained Mandiant, an elite incident response, digital forensics, and threat intelligence firm to confirm and further support our investigation, security hardening, and threat hunting efforts and to ensure no residual access remains. We will provide further updates as our investigation progresses.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">What measures are being taken to prevent this from happening again?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>We are undertaking, in partnership with Mandiant, a thorough investigation and implementing a robust set of containment measures and forward-looking controls to protect Checkmarx and our customers. To date, we have revoked all publishing permissions, revoked all classic GitHub personal access tokens, moved to OIDC authentication across the SDLC, and deployed additional monitoring and forensic tooling.<\/p>\n<p>We are continuing to work alongside Mandiant to conduct a structured verification phase to confirm the scope of the incident and that no residual access paths remain.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">What steps should customers take to protect themselves?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>We recommend that our customers follow these best practices:<\/p>\n<ul>\n<li>Pin to specific SHAs rather than mutable tags (latest, debian, alpine)<\/li>\n<li>Disable auto-update on IDE extensions<\/li>\n<li>Scan images at pull time and validate signatures<\/li>\n<li>Restrict egress from CI runners to an allowlist; monitor outbound connections for unexpected domains<\/li>\n<li>Treat CI runner credentials as short-lived and tightly scoped.<\/li>\n<\/ul>\n<p>In addition, a full list of recommended actions for our customers can be found in the incident updates above.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Was the May 9 Jenkins AST plugin activity part of the original incident?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>Our assessment based on currently available evidence is that the threat actor was able to leverage access, obtained as part of the March incident, to later publish the modified version of the Jenkins plugin on May 9. This plugin has now been removed and clean replacement versions have been published (2.0.13-848.v76e89de8a_053 and 2.0.13-847.v08c0072b_2fd5).<\/p>\n<p>The malicious payload associated with the modified plug-in targets lists of file paths for common applications, each tailored to a specific operating system (WIN, LINUX, OSX). After determining the OS, it traverses the corresponding file list looking for credentials. Targeted applications include crypto wallets, VPNs, AWS, and Github. We are still conducting malware analysis to understand the specific paths, but to date we have not seen any references to Jenkins.<\/p>\n<p>If you use the Jenkins AST plugin, we recommend the following actions:<\/p>\n<ul>\n<li>Ensure you are on one of those versions or on 2.0.13-829.vc72453fa_1c16 from December 17, 2025 or earlier. The malicious window was 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC. We recommend rotating all credentials that the pipeline that executed the malicious payload has access to.<\/li>\n<li>Hunt across your environment using the indicators below.<\/li>\n<\/ul>\n<p><strong>File Characteristics<\/strong><\/p>\n<div class=\"cx-data-table-wrap\">\n<table class=\"cx-data-table\">\n<thead>\n<tr>\n<th>File Name<\/th>\n<th>File Type<\/th>\n<th>Size (bytes)<\/th>\n<th>MD5<\/th>\n<th>SHA256<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cli.js<\/td>\n<td>TXT<\/td>\n<td>488,465<\/td>\n<td>9f9f83795fc162b7e44bc6859fc80535<\/td>\n<td>08352b4c37808a25895cda1cae27ec8a83cf7ee9de15e2d4dd9560a2906730f4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><strong>Network-based Indicators<\/strong><\/p>\n<p>Connections:<\/p>\n<ul>\n<li>hxxps[:]\/\/api[.]github[.]com:443\/user<\/li>\n<li>hxxps[:]\/\/registry[.]npmjs[.]org:443\/-\/whoami<\/li>\n<\/ul>\n<p>HTTP Headers:<\/p>\n<ul>\n<li>User-Agent: node<\/li>\n<li>Accept: application\/vnd.github+json<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Has any customer data been affected as part of this incident?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>Based on currently available evidence, we believe that the data the threat actor published to the dark web originated from Checkmarx&rsquo;s GitHub repository. As standard practice, we do not store customer data in our GitHub repository. The investigation into the nature and scope of any impacted data remains ongoing. We will notify customers individually if any personal or sensitive data relating to them was affected.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Will you share a written incident summary with customers?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>We will share a post-incident summary covering findings, remediation, and forward-looking controls with customers upon request.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p>    <!-- ===== EXISTING FAQs ===== --><\/p>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">How can a customer determine whether its specific environment was affected?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>Determining whether a specific environment was affected requires a structured assessment across two vectors: CI\/CD pipelines and developer workstations.<\/p>\n<p><strong>Assessment &mdash; CI\/CD pipelines (GitHub Actions):<\/strong><\/p>\n<ol>\n<li>Search all GitHub workflow files (.github\/workflows\/*.yml) for references to checkmarx\/kics-github-action and checkmarx\/ast-github-action.<\/li>\n<li>If references are identified, determine the version or tag in use (e.g., @main, @v2.3.32, a commit SHA).<\/li>\n<li>Ascertain whether any workflow runs referencing these actions occurred during the affected window in March 2026. GitHub Actions run logs are retained for a configurable period and should be reviewed for the relevant timeframe.<\/li>\n<li>If runs occurred during the affected window, review runner logs for: outbound connections to checkmarx[.]zone, execution of a setup.sh script not forming part of the customer&rsquo;s own workflow, or any anomalous network activity.<\/li>\n<\/ol>\n<p><strong>Assessment &mdash; Developer workstations (Open VSX plugins):<\/strong><\/p>\n<ol>\n<li>Identify all developers utilizing VS Code within the organization.<\/li>\n<li>Determine whether Checkmarx extensions were installed from the Open VSX Registry (open-vsx.org) rather than the official VS Code Marketplace (marketplace.visualstudio.com).<\/li>\n<li>Verify the extension version and installation or last-update timestamp. Any Checkmarx VS Code extension installed or auto-updated from the Open VSX Registry during the affected window should be treated as potentially compromised.<\/li>\n<li>Inspect the workstation for the relevant plugin directories (refer to FAQ F10 for applicable paths) and review proxy or DNS logs for connections to checkmarx[.]zone.<\/li>\n<\/ol>\n<p><strong>Important note regarding Checkmarx scan-based detection:<\/strong><\/p>\n<p>Executing a Checkmarx SAST or SCA scan against your organization&rsquo;s codebase will not detect whether your environment was compromised by this incident. The incident involves malicious code executed within a CI\/CD runner or IDE environment and does not constitute a vulnerability in application code that a scan would identify. Exposure assessment must be conducted through log analysis, workstation inspection, and credential audit as described above.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">How did the compromise happen, how was it discovered, and what is Checkmarx doing to prevent similar supply-chain attacks in the future?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>See Checkmarx Security Update, 26 March 2026 (<a href=\"https:\/\/checkmarx.com\/blog\/checkmarx-security-update\/\">https:\/\/checkmarx.com\/blog\/checkmarx-security-update\/<\/a>)<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Which Checkmarx GitHub Actions and plugins were affected?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>Both checkmarx\/ast-github-action and checkmarx\/kics-github-action were affected by this incident, as were the two Open VSX Registry plugins referenced in Checkmarx&rsquo;s security communications.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">What IOCs can Checkmarx share (hashes, filenames\/folders, domains, IPs, SHAs, setup.sh artifacts)?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>The following indicators of compromise (IOCs) have been identified through Checkmarx&rsquo;s investigation and independent third-party security research. The investigation remains ongoing and additional IOCs may be published.<\/p>\n<p><strong>Malicious domain \/ command-and-control infrastructure:<\/strong><\/p>\n<p>checkmarx[.]zone &mdash; This attacker-controlled domain was intended to be used for the exfiltration of any stolen credentials and secrets. Any outbound DNS query or HTTP\/HTTPS connection to this domain originating from CI\/CD runners or developer workstations during the affected window should be treated as a confirmed indicator of compromise.<\/p>\n<p><strong>Malicious VSIX filenames (Open VSX):<\/strong><\/p>\n<ul>\n<li>ast-results-[version].vsix<\/li>\n<li>cx-dev-assist-[version].vsix<\/li>\n<\/ul>\n<p>The specific filenames checkmarx.ast-results-2.53.0.vsix and checkmarx.cx-dev-assist-1.7.0.vsix have been referenced in customer communications. Customers should evaluate any version downloaded from the Open VSX Registry during the affected window, not solely these specific version numbers.<\/p>\n<p><strong>On-disk extension directories:<\/strong><\/p>\n<p>The presence of Open VSX-sourced Checkmarx extension directories within VS Code&rsquo;s extension folder constitutes a potential indicator. Refer to FAQ F10 for applicable file paths.<\/p>\n<p><strong>Runner artifacts (setup.sh):<\/strong><\/p>\n<p>The compromised GitHub Actions injected a script (setup.sh) on the CI\/CD runner as part of the action&rsquo;s initialization sequence. The presence of this script or associated runner artifacts constitutes a behavioral indicator of compromise. The full contents of setup.sh cannot be publicly disclosed at this time given the ongoing investigation.<\/p>\n<p><strong>File hashes (SHA256) &mdash; sourced from Wiz threat intelligence reporting:<\/strong><\/p>\n<p>ast-results-2.53.0.vsix: 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d<\/p>\n<p>cx-dev-assist-1.7.0.vsix: 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Which credentials, secrets, or keys must be rotated, and was only GitHub affected or potentially other credentials too?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>The malicious payload embedded in both the GitHub Actions and the Open VSX plugins was designed to exfiltrate environment variables and secrets from the execution context of the affected GitHub repository.<\/p>\n<p><strong>Credentials at risk &mdash; GitHub Actions (CI\/CD):<\/strong><\/p>\n<p>Any secret configured within the affected GitHub repository or organization and accessible to the workflow at the time the compromised action executed is potentially at risk. This includes, but is not limited to: GITHUB_TOKEN, API keys, cloud provider credentials, database credentials, and Checkmarx API tokens.<\/p>\n<p><strong>Credentials at risk &mdash; Developer workstations (Open VSX plugin exposure):<\/strong><\/p>\n<p>Any credential accessible within the VS Code environment, including those stored in environment variables, configuration files, or tokens used by the IDE, should be treated as potentially at risk.<\/p>\n<p><strong>Credentials requiring rotation:<\/strong><\/p>\n<ol>\n<li>All GitHub repository secrets in any repository or organization where the compromised actions executed.<\/li>\n<li>Checkmarx API keys and tokens used within the affected pipelines.<\/li>\n<li>Cloud provider credentials (AWS, Azure, GCP) if present as environment variables in affected workflows.<\/li>\n<li>All other API keys, tokens, or passwords configured as GitHub secrets or environment variables in the affected workflows.<\/li>\n<li>On developer workstations: any tokens or secrets stored in VS Code settings, environment variables, or configuration files where the malicious Open VSX plugin was installed and active.<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Will Checkmarx provide a formal root-cause analysis (RCA) report?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>Checkmarx recognizes that many enterprise customers \u2014 particularly those in regulated industries or with formal vendor risk management programs \u2014 require a written root-cause analysis or incident statement from strategic suppliers following a supply chain security incident such as this.<\/p>\n<p>Checkmarx is committed to providing material updates, and preparing a post-incident report. While the investigation is still ongoing \u2014 including with support from a third-party forensic firm we have engaged \u2014 we expect the report to include:<\/p>\n<ul>\n<li>Our findings with respect to the root cause and attack vector exploited by the TeamPCP threat actor, as established by the investigation<\/li>\n<li>A timeline of events from initial compromise through detection and remediation<\/li>\n<li>Findings with respect to affected artifacts and the scope of customer impact, as confirmed by the investigation<\/li>\n<li>The remediation actions taken by Checkmarx<\/li>\n<li>Forward-looking preventive controls to enhance Checkmarx&rsquo;s security posture<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Does this incident affect Checkmarx One SaaS \/ cloud or scanning engines, and do SaaS-only customers need to take action?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>The Checkmarx One SaaS platform, including cloud-hosted scanning engines, the Checkmarx One web application, and associated backend services, do not appear to be affected by this incident.<\/p>\n<p>This incident constitutes a supply-chain compromise targeting specific open-source distribution artifacts (GitHub Actions and Open VSX plugins). It does not represent a breach of Checkmarx&rsquo;s SaaS infrastructure. It does not appear that the threat actor obtained access to Checkmarx One customer tenants, customer data, scan results, or the platform&rsquo;s internal systems.<\/p>\n<p>Notwithstanding the above, SaaS customers who utilize the affected GitHub Actions (checkmarx\/kics-github-action or checkmarx\/ast-github-action) within their own CI\/CD pipelines, or whose developers installed plugins sourced from the Open VSX Registry, may be indirectly affected.<\/p>\n<p>We understand the residual risk pertains to the customer&rsquo;s own CI\/CD runner environments and developer workstations on which the malicious code may have executed.<\/p>\n<p><strong>Recommended action for SaaS customers:<\/strong><\/p>\n<p>If your organization does not use checkmarx\/kics-github-action or checkmarx\/ast-github-action in its GitHub pipelines and developers do not use Open VSX-sourced plugins, no specific action with respect to the SaaS platform is required. If the affected GitHub Actions are in use, any runner that executed those actions during the affected window should be treated as potentially compromised, and customers should follow the remediation guidance including credential rotation, log review, and runner inspection. We recommend heightened vigilance at this time.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Which versions, tags, and time windows were affected, and which versions are safe now?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p><strong>Affected versions and tags:<\/strong><\/p>\n<p><strong>checkmarx\/ast-github-action:<\/strong><\/p>\n<ul>\n<li>3.32 was compromised.<\/li>\n<li>References to @main during the exposure window (March 2026) were compromised.<\/li>\n<li>Any unpinned or floating reference that resolved to a compromised commit during the exposure window should be treated as affected.<\/li>\n<\/ul>\n<p><strong>checkmarx\/kics-github-action:<\/strong><\/p>\n<ul>\n<li>All versions and tags active on the @main branch during the exposure window (March 2026) were compromised.<\/li>\n<li>Any unpinned or floating reference that resolved during the exposure window should be treated as affected.<\/li>\n<\/ul>\n<p><strong>Open VSX plugins:<\/strong><\/p>\n<ul>\n<li>ast-results v2.53.0 was compromised.<\/li>\n<li>cx-dev-assist v1.7.0 was compromised.<\/li>\n<li>Any version of either plugin installed or auto-updated from the Open VSX Registry during the exposure window should be treated as compromised.<\/li>\n<\/ul>\n<p><strong>Safe versions (post-remediation):<\/strong><\/p>\n<ul>\n<li>checkmarx\/ast-github-action v2.3.33 or later has been confirmed clean.<\/li>\n<li>checkmarx\/kics-github-action: pin to a version or commit SHA published following remediation; customers should confirm the specific safe tag with their Checkmarx account team.<\/li>\n<li>Open VSX plugins: reinstall from the official VS Code Marketplace. Current Marketplace versions are confirmed clean.<\/li>\n<li>@main as of the date of remediation references clean code; however, pinning to an explicit version tag or commit SHA is strongly recommended as best practice.<\/li>\n<\/ul>\n<p><strong>Exposure window:<\/strong><\/p>\n<p>Malicious artifacts were active during March 2026. The precise commencement date remains under investigation. Any pipeline execution or plugin installation or auto-update occurring during this period should be evaluated for potential exposure.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"cx-acc__item\">\n      <button type=\"button\" class=\"cx-acc__btn\" aria-expanded=\"false\" onclick=\"var i=this.parentNode;i.classList.toggle('is-open');this.setAttribute('aria-expanded',i.classList.contains('is-open'));return false;\">Is a third party involved in the investigation, what is the investigation timeline, and has\/will the incident be reported to regulators or law enforcement?<\/button>\n<div class=\"cx-acc__panel\">\n<div class=\"cx-acc__panel-inner\">\n<p>Yes. We have appointed external breach counsel, and a leading forensics expert to assist with our investigation. We are unable to provide an estimated timeline. At this stage, we are notifying regulators and law enforcement as we deem necessary.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><!-- \/.cx-incident --><\/p>\n<p><!-- Mobile width-fix trigger. Runs immediately via img onerror, no script tag needed.\n     Walks up the DOM and forces every ancestor to fit the viewport on mobile. --><br>\n<img decoding=\"async\" src=\"x\" style=\"display:none\" onerror=\"(function(){try{if(window.innerWidth>=992)return;var el=document.querySelector('.cx-incident');if(!el)return;var vw=document.documentElement.clientWidth;var node=el;var safety=0;while(node&&node!==document.documentElement&&safety<25){safety++;try{node.style.setProperty('max-width',vw+'px','important');node.style.setProperty('overflow-x','hidden','important');node.style.setProperty('box-sizing','border-box','important');}catch(e){}node=node.parentElement;}document.documentElement.style.setProperty('overflow-x','hidden','important');document.documentElement.style.setProperty('max-width',vw+'px','important');document.body.style.setProperty('overflow-x','hidden','important');document.body.style.setProperty('max-width',vw+'px','important');document.body.style.setProperty('width','100%','important');}catch(e){}})();this.remove();\"><\/p>\n<p><!-- Re-run the fix after page fully loads in case theme JS adjusts widths later --><br>\n<script data-no-optimize=\"1\" data-no-minify=\"1\" data-cfasync=\"false\">\/*<![CDATA[*\/\n(function(){function fix(){if(window.innerWidth>=992)return;try{var el=document.querySelector('.cx-incident');if(!el)return;var vw=document.documentElement.clientWidth;var node=el;var safety=0;while(node&&node!==document.documentElement&&safety<25){safety++;try{node.style.setProperty('max-width',vw+'px','important');node.style.setProperty('overflow-x','hidden','important');node.style.setProperty('box-sizing','border-box','important');}catch(e){}node=node.parentElement;}document.documentElement.style.setProperty('overflow-x','hidden','important');document.documentElement.style.setProperty('max-width',vw+'px','important');document.body.style.setProperty('overflow-x','hidden','important');document.body.style.setProperty('max-width',vw+'px','important');document.body.style.setProperty('width','100%','important');}catch(e){}}fix();if(document.readyState==='loading'){document.addEventListener('DOMContentLoaded',fix);}window.addEventListener('load',fix);setTimeout(fix,500);setTimeout(fix,1500);window.addEventListener('resize',fix);window.addEventListener('orientationchange',fix);})();\n\/*]]>*\/<\/script><\/p>","protected":false},"excerpt":{"rendered":"<p>Supply Chain Security Incident Summary Updated May 22, 2026 The following is designed to provide an incident summary and central location for updates that have previously been provided. Situation Overview Checkmarx experienced a cybersecurity supply chain incident affecting certain developer artifacts distributed through third-party channels. Beginning on March 23, 2026, attackers gained unauthorized access to [&hellip;]<\/p>\n","protected":false},"author":11,"featured_media":108698,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"footnotes":""},"categories":[84,1522],"tags":[],"class_list":["post-108697","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-checkmarx-security-update"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Update: Ongoing Checkmarx Supply Chain Security Incident<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Update: Ongoing Checkmarx Supply Chain Security Incident\" \/>\n<meta property=\"og:description\" content=\"Supply Chain Security Incident Summary Updated May 22, 2026 The following is designed to provide an incident summary and central location for updates that have previously been provided. Situation Overview Checkmarx experienced a cybersecurity supply chain incident affecting certain developer artifacts distributed through third-party channels. Beginning on March 23, 2026, attackers gained unauthorized access to [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-09T17:53:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-22T19:39:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Checkmarx Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Checkmarx Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"33 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/\"},\"author\":{\"name\":\"Checkmarx Team\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/25482b0b490209da942049e2c8b0d3aa\"},\"headline\":\"Update: Ongoing Checkmarx Supply Chain Security Incident\",\"datePublished\":\"2026-05-09T17:53:39+00:00\",\"dateModified\":\"2026-05-22T19:39:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/\"},\"wordCount\":6517,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png\",\"articleSection\":[\"Blog\",\"Checkmarx Security Update\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/\",\"name\":\"Update: Ongoing Checkmarx Supply Chain Security Incident\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png\",\"datePublished\":\"2026-05-09T17:53:39+00:00\",\"dateModified\":\"2026-05-22T19:39:29+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png\",\"width\":1600,\"height\":800},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/25482b0b490209da942049e2c8b0d3aa\",\"name\":\"Checkmarx Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/cropped-cx_favicon-150x150.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/cropped-cx_favicon-150x150.webp\",\"caption\":\"Checkmarx Team\"},\"url\":\"https:\/\/checkmarx.com\/author\/checkmarx-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Update: Ongoing Checkmarx Supply Chain Security Incident","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/","og_locale":"en_US","og_type":"article","og_title":"Update: Ongoing Checkmarx Supply Chain Security Incident","og_description":"Supply Chain Security Incident Summary Updated May 22, 2026 The following is designed to provide an incident summary and central location for updates that have previously been provided. Situation Overview Checkmarx experienced a cybersecurity supply chain incident affecting certain developer artifacts distributed through third-party channels. Beginning on March 23, 2026, attackers gained unauthorized access to [&hellip;]","og_url":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2026-05-09T17:53:39+00:00","article_modified_time":"2026-05-22T19:39:29+00:00","og_image":[{"width":1600,"height":800,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png","type":"image\/png"}],"author":"Checkmarx Team","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Checkmarx Team","Est. reading time":"33 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/"},"author":{"name":"Checkmarx Team","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/25482b0b490209da942049e2c8b0d3aa"},"headline":"Update: Ongoing Checkmarx Supply Chain Security Incident","datePublished":"2026-05-09T17:53:39+00:00","dateModified":"2026-05-22T19:39:29+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/"},"wordCount":6517,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png","articleSection":["Blog","Checkmarx Security Update"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/","url":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/","name":"Update: Ongoing Checkmarx Supply Chain Security Incident","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png","datePublished":"2026-05-09T17:53:39+00:00","dateModified":"2026-05-22T19:39:29+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/ongoing-security-updates\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/05\/hero-april-27-1.png","width":1600,"height":800},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/25482b0b490209da942049e2c8b0d3aa","name":"Checkmarx Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/cropped-cx_favicon-150x150.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/cropped-cx_favicon-150x150.webp","caption":"Checkmarx Team"},"url":"https:\/\/checkmarx.com\/author\/checkmarx-team\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/108697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=108697"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/108697\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/108698"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=108697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=108697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=108697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}