Checkmarx Security Update
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读文章内容,了解主要信息。 文章提到Checkmarx发现了供应链安全事件,涉及KICS开源项目和两个通过OpenVSX发布的插件。恶意版本在3月23日发布,影响了下载并运行这两个插件的组织。虽然没有影响到客户数据或生产环境,但Checkmarx已经发布了新版本,并建议用户更新插件。此外,他们还建议用户轮换密钥和审查GitHub Actions运行。 接下来,我需要将这些信息浓缩到100字以内。要确保涵盖事件的时间、受影响的插件、已采取的措施以及建议的行动。同时,语言要简洁明了,避免使用复杂的术语。 可能的结构是:时间+事件+受影响范围+已采取措施+建议行动。这样可以全面而简洁地传达信息。 最后,检查字数是否符合要求,并确保没有遗漏关键点。 </think> Checkmarx报告了涉及KICS开源项目及两个插件的供应链安全事件,恶意版本于2026年3月23日发布于OpenVSX。受影响组织需更新至新版本(ast-results 2.56.0及以上,cx-dev-assist 1.10.0及以上),并轮换密钥、审查GitHub Actions以应对潜在风险。 2026-3-24 07:7:20 Author: checkmarx.com(查看原文) 阅读量:10 收藏

We are writing to inform you that Checkmarx has identified a recent supply chain security incident involving the KICS open-source project, and two specific Checkmarx plugins distributed via the OpenVSX marketplace.  

While we are not aware of any impact to customer data or production environments, we continue to actively investigate and will share details as they emerge.

What Happened

On March 23, 2026, at approximately 02:53 UTC, malicious versions of two plugins were published to the OpenVSX registry.


Only organizations that downloaded the following artifacts from OpenVSX today (3/23/2026) between 02:53 UTC and 15:41 UTC and ran it are potentially impacted by this incident.

  • ast-results-2.53.0.vsix
  • cx-dev-assist-1.7.0.vsix

Plugins downloaded from the VS Code Marketplace were not affected.

Current Status

  • We have identified and released new versions of the impacted plugins.
  • Please ensure that you are using these updated versions:
    • For checkmarx.cx-dev-assist – Please use version 1.10.0 and above.
    • For checkmarx.ast-results – Please use version 2.56.0 and above.
  • We are actively working with OpenVSX to remove any remaining malicious artifacts.

Recommended Actions

If you downloaded the malicious versions of either plugin (ast-results-2.53.0.vsix or cx-dev-assist-1.7.0.vsix) from OpenVSX during the affected period, we strongly recommend following these precautionary steps:

  1. Rotate all secrets and credentials accessible to CI runners during the affected period, including GitHub Personal Access Tokens (PATs), cloud service credentials, and repository or organization-level secrets.
  2. Review GitHub Actions runs, search for suspicious indicators such as references to tpcp.tar.gz, aquasecurity, or checkmarx.zone, and check for unexpected repositories like tpcp-docs. In case you spot any occurrences of these, please remove them or contact the Checkmarx Support for guidance.

KICS Open-Source Update

An issue was also identified in KICS GitHub Action on March 23, 2026. It was limited to the GitHub Action distribution between 12:58 and 16:50 UTC and the maintainers acted immediately revoking the affected tags, securing access, and preventing unauthorized changes. The issue was fully resolved by 19:24 UTC. Checkmarx KICS itself remains secure and unaffected.

Additional Guidance

We recommend that you continue adhering to your organization’s standard incident response procedures, including increased monitoring and validation of development and build environments.

Do not download the affected versions of the two plugins listed above (ast-results-2.53.0.vsix or cx-dev-assist-1.7.0.vsix).

We’re Here to Help

Our team is actively monitoring the situation and is available to support you. If you have any questions, please contact Checkmarx Support.

 We take our customers’ security very seriously and are taking steps to reinforce our processes. We will continue to provide updates as more information becomes available.


文章来源: https://checkmarx.com/blog/checkmarx-security-update/
如有侵权请联系:admin#unsafe.sh