Last Updated April 23, 2026

What Happened

On April 22, we communicated with customers about a new development in the supply chain security incident that our team is actively investigating and addressing. We deeply value the trust you place in Checkmarx and are committed to keeping our customers informed as we continue to respond.

As part of our immediate response, we retained outside experts and are working around the clock to get to the bottom of this as quickly as possible. In the interim, we are sharing key findings to-date and recommended actions for our customers to take.

Key Findings

Notably, our investigation thus far indicates that the malicious artifacts did not override previously published, known safe versions. Customers using versions or SHAs published prior to the affected timeframes are not affected.

Affected Artifacts

The following artifacts have been identified as potentially affected:

1. Checkmarx public DockerHub KICS image – https://hub.docker.com/r/checkmarx/kics
   1. Malicious tags: v2.1.20-debian, v2.1.21-debian, debian, v2.1.21, v2.1.20, alpine, v2.1.20, v2.1.21, latest
   1. Malicious SHAs: sha256:222e6bfed0f3b, sha256:9183908decd0f, sha256:a6871deb0480e, sha256:ff7b0f114f87c, sha256:1b01a97753780, sha256:2588a44890263, sha256:54f8a56bf1f71, sha256:d186161ae8e33, sha256:415610a42c5b5, sha256:e35bc6afc4857, sha256:a0d9366f6f016, sha256:903eef3c05f6e, sha256:26e8e9c5e53c9, sha256:7391b531a07fc, sha256:4c963fa00e585
   1. Timeframe: from 2026-04-22 12:31:35.883 UTC to 2026-04-22 12:59:46.562 UTC
2. Checkmarx public ast-github-action – https://github.com/checkmarx/ast-github-action
   1. Malicious tags: 2.3.35
   1. Timeframe: from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC
3. Checkmarx VS Code extension
   1.  Microsoft marketplace: https://marketplace.visualstudio.com/items?itemName=checkmarx.ast-results
   1. Open VSX marketplace: https://open-vsx.org/extension/checkmarx/ast-results
   1. Malicious tags: 2.63, 2.66
   1. Timeframe – To be confirmed
4. Checkmarx Developer Assist extension
   1. Microsoft marketplace: https://marketplace.visualstudio.com/items?itemName=checkmarx.cx-dev-assist
   1. Open VSX marketplace: https://open-vsx.org/extension/checkmarx/cx-dev-assist
   1. Malicious tags: 1.17, 1.19
   1. Timeframe: To be confirmed

Actions We’ve Taken

To date, in response to this development we have:

1. Removed the malicious artifacts;
2. Revoked and rotated exposed credentials;
3. Blocked outbound access to attacker-controlled infrastructure;
4. Reviewed our environments for any signs of further compromise.
5. Initiated a forensic investigation with the assistance of an independent, third-party forensic firm.

Recommended Actions

We recommend that our customers take the following steps as soon as possible:

1. Block access to these domains and IP addresses:
   1. checkmarx.cx => 91[.]195[.]240[.]123
   1. audit.checkmarx.cx => 94[.]154[.]172[.]43
2. Use pinned SHAs and review or disable auto-update settings in IDE marketplaces
3. Rotate secrets and credentials if a compromise is suspected or detected
4. Use only known safe versions including:  
   1. DockerHub KICS image: latest, v2.1.20, alpine, Debian,
   1. Checkmarx ast-github-action: v2.3.36
   1. Checkmarx VS Code extensions: v2.64.0
   1. Checkmarx Developer Assist extension: v1.18.0

Next Steps

This is an ongoing investigation. Please continue to monitor the Checkmarx Community Incident Page for more information.

If you have questions about this development, please open a case via the Support Portal.  

We are grateful for your continued support and patience as we work to address this incident.