Update: Ongoing Checkmarx Supply Chain Security Incident

Incident Update: Saturday, May 9, 2026

We are aware that a modified version of the Checkmarx Jenkins AST plugin was published to the Jenkins Marketplace. We are in the process of publishing a new version of this plug-in.

If you are using Checkmarx Jenkins AST Plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on Dec. 17, 2025. Customers should ensure they are using this version only.

We will continue to share updates as we have them available.

Incident Update: Monday, April 27, 2026

What happened?

On March 23, 2026, Checkmarx identified a cybersecurity incident originating from the Trivy Supply Chain Attack. The cybersecurity community previously reported on March 19 that the TeamPCP attack affecting the Trivy scanner could potentially be used to harvest credentials from downstream users.

While we are still investigating the incident, we believe this is the likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories. As a result of that access, the attackers were able to interact with Checkmarx’s GitHub environment and subsequently publish malicious code to certain artifacts.

As part of our investigation into the incident, we identified that exfiltration of data took place on March 30, 2026. A cybercriminal group subsequently published data related to Checkmarx to the dark web on April 25. Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2026.

Importantly, Checkmarx’s GitHub repositories are maintained separately from our customer production environment. As standard practice, we do not store customer data in our GitHub repository.

Incident Timeline

— MARCH —
	Mar 23	EVENT	Compromised artifacts published Malicious Checkmarx artifacts are published. Attacker pushes malicious code directly into the Checkmarx GitHub repository. Containment, investigation, remediation and communication efforts commenced immediately, and remain ongoing.
— APRIL —
	Apr 22	PERSISTENCE	Compromised artifacts published A second wave of malicious Checkmarx artifacts are published, indicating continued or renewed attacker access.
	Apr 25	DISCLOSURE	LAPSUS$ publishes stolen data LAPSUS$ publicly releases data stamped March 30, nearly one month after the suspected exfiltration of data from the Checkmarx GitHub repository by the attacker.

■Breach / Exfiltration ■Persistence ■Disclosure

Actions we have taken

Upon identification of the incident, Checkmarx commenced a formal investigation and engaged external forensic specialists to support that work.

Initial steps Checkmarx took to contain and remediate the incident included:

Removed unauthorized code and published clean artifacts
Implemented additional safeguards within our development and distribution workflows
Rotated credentials identified as potentially exposed, with validation and follow-up rotation continuing as the investigation progressed
Reviewed our environments for indications of further compromise

Following evidence of further malicious artifacts we took additional steps to strengthen our security posture:

Engaged law enforcement to make them aware of the incident
Retained Mandiant, an elite incident response, digital forensics, and threat intelligence firm to bolster our investigation efforts
Conducted a wider rotation of credentials across the environment
Implemented additional security controls, tools, and access restrictions within our development environment
Performed additional reviews of access pathways and integrations
We have locked down access to the affected GitHub repositories while the investigation continues
A code audit is also currently underway to verify that no further malicious code is present beyond the findings already identified

We are now in the final stages of our investigation and confirming that the unauthorised access has been fully contained. We will share further on this as soon as we are able.

Additional Information

We have communicated with our customers throughout this process and will continue to provide relevant updates as more information becomes available. Further information, including recommended steps customers can take, is available on our Support Portal or in our Security Updates.

Incident Update: Sunday, April 26, 2026

New Development: GitHub Repository

We are writing to inform you of a new development in the ongoing Checkmarx supply chain security incident.

Our investigation, conducted with support from a leading third-party forensic firm, indicates that a cybercriminal group has published data related to Checkmarx to the dark web. Based on current evidence, we believe this data originated from Checkmarx’s GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026.

Checkmarx’s GitHub repository is maintained separately from our customer production environment. As standard practice, we do not store customer data in our GitHub repository. Our forensic investigation is ongoing and we are actively working to verify the nature and scope of the posted data.

As part of our immediate response, we have locked down access to the affected GitHub repository while the investigation continues.

If we determine that customer information was involved in this incident, we will notify customers and all relevant parties immediately.

We expect to share a more detailed update within 24 hours.

Questions and Support

If you have questions about this incident or need assistance assessing your environment, please open a case via the Support Portal.

Incident Update: Wednesday, April 22, 2026

What Happened

On April 22, we communicated with customers about a new development in the supply chain security incident that our team is actively investigating and addressing. We deeply value the trust you place in Checkmarx and are committed to keeping our customers informed as we continue to respond.

As part of our immediate response, we retained outside experts and are working around the clock to get to the bottom of this as quickly as possible. In the interim, we are sharing key findings to-date and recommended actions for our customers to take.

Key Findings

Notably, our investigation thus far indicates that the malicious artifacts did not override previously published, known safe versions. Customers using versions or SHAs published prior to the affected timeframes are not affected.

Affected Artifacts

The following artifacts have been identified as potentially affected:

Checkmarx public DockerHub KICS image – https://hub.docker.com/r/checkmarx/kics
1. Malicious tags: v2.1.20-debian, v2.1.21-debian, debian, v2.1.21, v2.1.20, alpine, v2.1.20, v2.1.21, latest
2. Malicious SHAs: sha256:222e6bfed0f3b, sha256:9183908decd0f, sha256:a6871deb0480e, sha256:ff7b0f114f87c, sha256:1b01a97753780, sha256:2588a44890263, sha256:54f8a56bf1f71, sha256:d186161ae8e33, sha256:415610a42c5b5, sha256:e35bc6afc4857, sha256:a0d9366f6f016, sha256:903eef3c05f6e, sha256:26e8e9c5e53c9, sha256:7391b531a07fc, sha256:4c963fa00e585
3. Timeframe: from 2026-04-22 12:31:35.883 UTC to 2026-04-22 12:59:46.562 UTC
Checkmarx public ast-github-action – https://github.com/checkmarx/ast-github-action
1. Malicious tags: 2.3.35
2. Timeframe: from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC
Checkmarx VS Code extension
1. Microsoft marketplace: https://marketplace.visualstudio.com/items?itemName=checkmarx.ast-results
2. Open VSX marketplace: https://open-vsx.org/extension/checkmarx/ast-results
3. Malicious tags: 2.63, 2.66
4. Timeframe – Microsoft marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 17:48:00 UTC
  Timeframe – Open-VSX marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 21:20:00 UTC
Checkmarx Developer Assist extension
1. Microsoft marketplace: https://marketplace.visualstudio.com/items?itemName=checkmarx.cx-dev-assist
2. Open VSX marketplace: https://open-vsx.org/extension/checkmarx/cx-dev-assist
3. Malicious tags: 1.17, 1.19
4. Timeframe – Microsoft marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 17:48:00 UTC
  Timeframe – Open-VSX marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 21:20:00 UTC

Actions We’ve Taken

To date, in response to this development we have:

Removed the malicious artifacts;
Revoked and rotated exposed credentials;
Blocked outbound access to attacker-controlled infrastructure;
Reviewed our environments for any signs of further compromise.
Initiated a forensic investigation with the assistance of an independent, third-party forensic firm.

Recommended Actions

We recommend that our customers take the following steps as soon as possible:

Block access to these domains and IP addresses:
1. checkmarx.cx => 91[.]195[.]240[.]123
2. audit.checkmarx.cx => 94[.]154[.]172[.]43
Use pinned SHAs and review or disable auto-update settings in IDE marketplaces
Rotate secrets and credentials if a compromise is suspected or detected
1. DockerHub KICS image: latest, v2.1.20, alpine, Debian
2. Checkmarx ast-github-action: v2.3.36
3. Checkmarx VS Code extensions: v2.67.0
4. Checkmarx Developer Assist extension: v1.18.0

Guidance for CxSAST On-Premise Customers

We have received questions from customers running CxSAST on-premise about whether their environments are within the scope of this incident. This communication outlines what is, and is not, in scope for your specific environment (Cx SAST on-premises and CxSAST hosted), and the limited circumstance under which you may need to take action.

Scope Summary

Based on our investigation to date, the artifacts confirmed as compromised in this incident are externally distributed components associated with Checkmarx One. They are not part of, and are not delivered with, a CxSAST on-premise installation. Specifically:

CxSAST on-premise itself was not compromised. The incident affected externally distributed artifacts, not the CxSAST product or its installer.
Checkmarx One (SaaS) infrastructure has not been identified as compromised. We mention this for completeness, as customer questions often span both deployment models.
The compromised GitHub Actions (checkmarx/ast-github-action and checkmarx/kics-github-action) are used to invoke Checkmarx One scans from CI/CD pipelines. They are not used by CxSAST on-premise customers in that role.
The compromised VS Code extensions (checkmarx.ast-results and checkmarx.cx-dev-assist) are the Checkmarx One IDE integrations. The CxSAST on-premise IDE plugin is a separate component and was not affected.

Although CxSAST on-premise is out of scope for the compromised artifacts, an incident of this nature warrants standard security vigilance regardless of deployment model. Below we outline the specific conditions that would require a CxSAST on-premise customer to take action as a result of this incident.

Action Required If Applicable

If your organization independently uses the open-source KICS scanner — specifically by pulling the public KICS image from Docker Hub (hub.docker.com/r/checkmarx/kics) outside of any CxSAST or Checkmarx One workflow — we recommend further action if the image was pulled during the affected time window. This image is distinct from the CxSAST product and from the IaC scanning capability built into Checkmarx One.

The compromised KICS image was present on Docker Hub during the following window:

From 2026-04-22 12:31:35 UTC to 2026-04-22 12:59:46 UTC.

If you did not pull from Docker Hub during this window, you do not need to take further action. If you did, or are uncertain, please verify the image SHA against the list of malicious SHAs in our public advisory and treat any match as a potential compromise of the host that pulled the image and take further action as appropriate.

Precautionary Actions for All Customers

For most CxSAST on-premise customers, no product-level remediation is required. As precautionary measures aligned with the broader incident, we recommend:

Block outbound access at the network perimeter to: checkmarx.cx (91.195.240.123), audit.checkmarx.cx (94.154.172.43), updates.checkmarx.cx (94.154.172.183), and checkmarx.zone (associated with the March 23 round).
If your developers use VS Code, confirm that any installed Checkmarx extensions are sourced from the official Microsoft VS Code Marketplace and are current safe versions (ast-results v2.67.0 and Developer Assist v1.18.0 or v1.20.0). Consider temporarily disabling auto-update on these extensions until the investigation is closed.
Review CI/CD logs and developer workstation telemetry for outbound connections to any of the domains and IPs above during the affected windows.

Where to Go for Help

For environment-specific questions, please open a Support case via the Support Portal at support.checkmarx.com.

We will continue to update this page as our investigation progresses.

Next Steps

This is an ongoing investigation. Please continue to monitor the Checkmarx Community Incident Page for more information.

If you have questions about this development, please open a case via the Support Portal.

We are grateful for your continued support and patience as we work to address this incident.

Incident Update: Monday, March 23, 2026

On March 23, 2026, Checkmarx identified a cybersecurity supply chain incident affecting certain Checkmarx‑related developer artifacts distributed via third‑party channels.

This post contains a structured overview of the incident and the steps we have taken to date, as well as additional resources to support our clients and team members.

What Happened

On March 23, 2026, Checkmarx was the target of a cybersecurity supply chain incident which affected two specific plugins distributed via the OpenVSX marketplace and two of our GitHub Actions workflows.

OpenVSX Plugins

On March 23, 2026, at approximately 02:53 UTC, malicious versions of two plugins were published to the OpenVSX registry.

Only organizations that downloaded the following artifacts from OpenVSX on 23 March, 2026 between 02:53 UTC and 15:41 UTC and ran it are potentially impacted by this incident.

ast-results-2.53.0.vsix
cx-dev-assist-1.7.0.vsix

The affected plug-ins are no longer available and all older GitHub versions have been permanently removed.

Plugins downloaded from the VS Code Marketplace were not affected.

Recommended actions

The following guidance is provided as a precautionary measure to support customer‑led assessments and remediation, where relevant to their environments.

If a client downloaded and ran either of the above extensions from the Open VSX registry, their organization may be affected.

If the client organization may have been affected, we strongly recommend taking the following steps as soon as possible.

1. Remove Malicious Components

Uninstall the following VSIX extensions from all environments:
- checkmarx.ast-results-2.53.0.vsix
- checkmarx.cx-dev-assist-1.7.0.vsix
use ast-github-action – v2.3.33 only
use kics-github-action – v2.1.20 only
Ensure they are removed from:
- All developer machines
- All VSCode profiles and environments

2. Revoke and Rotate Credentials

GitHub Actions

An issue was also identified in KICS and AST GitHub Action on March 23, 2026. The attacker injected malicious payloads into the following GitHub Actions workflows which were available between 12:58 and 16:50 UTC:

checkmarx/ast-github-action
checkmarx/kics-github-action

Maintainers revoked the affected tags, securing access, and preventing unauthorized changes.

All GitHub Actions have been updated to the following latest verified releases, and all older versions have been permanently deleted from the organization’s repositories:

ast-github-action — v2.3.33 (released March 23, 2026)
kics-github-action — v2.1.20 (released March 23, 2026)

Both versions are the only ones available in our repos. All pipelines must reference these versions exclusively or newer.

Recommended actions

If you downloaded the malicious versions of either plugin (ast-results-2.53.0.vsix or cx-dev-assist-1.7.0.vsix) from OpenVSX during the affected period, we strongly recommend following these precautionary steps:

Revoke and rotate all secrets and credentials accessible to CI runners during the affected period, including GitHub Personal Access Tokens (PATs), cloud service credentials, and repository or organization-level secrets.
Review GitHub Actions runs, search for suspicious indicators such as references to tpcp.tar.gz, aquasecurity, or checkmarx.zone, and check for unexpected repositories like tpcp-docs. In case you spot any occurrences of these, please remove them or contact the Checkmarx Support for guidance.
Revoke access to the following tokens, and issue new ones:
- GitHub credentials
- Microsoft Azure access
- Google Cloud (GCP) access
- AWS access
- Kubernetes service account tokens and kubeconfigs
- SSH keys
- Docker registry credentials
- Block Malicious Infrastructure by restricting access to checkmarx[.]zone and review historical network traffic for any communication with this domain
Review logs and systems for GitHub activity such as unexpected API usage, suspicious repositories or artifacts such as docs-tpcp and/or tpcp.tar.gz, unauthorized releases or CI-triggered changes
For any revoked token, key or credentials from previous stages:
- Review related activity within exposure time frame, to validate no lateral movement took place
- Monitor for any future attempts to use these credentials to identify ongoing attempts to attack infrastructure

Containment & Remediation

Upon identification of the issue, we took immediate steps to contain and remediate the incident. We removed the unauthorized code, pinned our workflows to safe verified commit SHAs, revoked and rotated relevant credentials, blocked outbound access to the attacker-controlled domain, and reviewed our environments for any signs of further compromise.

Investigation Status

We have commenced a formal investigation and engaged external forensic specialists to support that work. This investigation is ongoing and includes investigating the behaviour and objectives of the malicious code.

Available information indicates that the primary functionality of the code was focused on the attempted collection and exfiltration of credentials and secrets from affected environments, without evidence to date that such data was successfully exfiltrated from any customer environment.

Based on the investigation to date, and subject to the evidential limitations described below, we recommend continued vigilance and that you notify us promptly if you become aware of any suspicious activity.

While the investigation is ongoing, to date, we do not have evidence indicating that the incident resulted in unauthorised access to customer data or systems, that data held by Checkmarx has been accessed, nor can we yet confirm that any particular customer environment was compromised.

It is important to note that because the affected artefacts execute within customer‑controlled environments, confirmation of whether a particular customer was impacted depends on an assessment of those environments, rather than on telemetry held by Checkmarx. Those CI/CD pipelines and developer workstations are customer‑controlled environments, and Checkmarx does not have independent visibility into their execution or logs.

Our Commitment to You

If you have any questions or need assistance assessing client exposure, please reach out to our security team at [email protected]. Additionally, we have published detailed assessment and remediation guidance, including indicators of compromise, version information and recommended next steps for customers on our support portal.

Protecting the security and privacy of our clients and team members is a responsibility we hold to the highest standard. As part of our commitment to transparency, we will provide updates as appropriate and as our investigation progresses.

Frequently Asked Questions

How can a customer determine whether its specific environment was affected?

“Determining whether a specific environment was affected requires a structured assessment across two vectors: CI/CD pipelines and developer workstations.

Assessment — CI/CD pipelines (GitHub Actions):

Search all GitHub workflow files (.github/workflows/*.yml) for references to checkmarx/kics-github-action and checkmarx/ast-github-action.
If references are identified, determine the version or tag in use (e.g., @main, @v2.3.32, a commit SHA).
Ascertain whether any workflow runs referencing these actions occurred during the affected window in March 2026. GitHub Actions run logs are retained for a configurable period and should be reviewed for the relevant timeframe.
If runs occurred during the affected window, review runner logs for: outbound connections to checkmarx[.]zone, execution of a setup.sh script not forming part of the customer’s own workflow, or any anomalous network activity.

Assessment – Developer workstations (Open VSX plugins):

Identify all developers utilizing VS Code within the organization.
Determine whether Checkmarx extensions were installed from the Open VSX Registry (open-vsx.org) rather than the official VS Code Marketplace (marketplace.visualstudio.com).
Verify the extension version and installation or last-update timestamp. Any Checkmarx VS Code extension installed or auto-updated from the Open VSX Registry during the affected window should be treated as potentially compromised.
Inspect the workstation for the relevant plugin directories (refer to FAQ F10 for applicable paths) and review proxy or DNS logs for connections to checkmarx[.]zone.

Important note regarding Checkmarx scan-based detection:

Executing a Checkmarx SAST or SCA scan against your organization’s codebase will not detect whether your environment was compromised by this incident. The incident involves malicious code executed within a CI/CD runner or IDE environment and does not constitute a vulnerability in application code that a scan would identify. Exposure assessment must be conducted through log analysis, workstation inspection, and credential audit as described above.”

How did the compromise happen, how was it discovered, and what is Checkmarx doing to prevent similar supply-chain attacks in the future?

Which Checkmarx GitHub Actions and plugins were affected?

Both checkmarx/ast-github-action and checkmarx/kics-github-action were affected by this incident, as were the two Open VSX Registry plugins referenced in Checkmarx’s security communications.

What IOCs can Checkmarx share (hashes, filenames/folders, domains, IPs, SHAs, setup.sh artifacts)?

The following indicators of compromise (IOCs) have been identified through Checkmarx’s investigation and independent third-party security research. The investigation remains ongoing and additional IOCs may be published.

Malicious domain / command-and-control infrastructure:

checkmarx[.]zone – This attacker-controlled domain was intended to be used for the exfiltration of any stolen credentials and secrets. Any outbound DNS query or HTTP/HTTPS connection to this domain originating from CI/CD runners or developer workstations during the affected window should be treated as a confirmed indicator of compromise.

Malicious VSIX filenames (Open VSX):

ast-results-[version].vsix
cx-dev-assist-[version].vsix

The specific filenames checkmarx.ast-results-2.53.0.vsix and checkmarx.cx-dev-assist-1.7.0.vsix have been referenced in customer communications. Customers should evaluate any version downloaded from the Open VSX Registry during the affected window, not solely these specific version numbers.

On-disk extension directories:

The presence of Open VSX-sourced Checkmarx extension directories within VS Code’s extension folder constitutes a potential indicator. Refer to FAQ F10 for applicable file paths.

Runner artifacts (setup.sh):

The compromised GitHub Actions injected a script (setup.sh) on the CI/CD runner as part of the action’s initialization sequence. The presence of this script or associated runner artifacts constitutes a behavioral indicator of compromise. The full contents of setup.sh cannot be publicly disclosed at this time given the ongoing investigation.

File hashes (SHA256)- sourced from Wiz threat intelligence reporting:

ast-results-2.53.0.vsix: 65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d

cx-dev-assist-1.7.0.vsix: 744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0

Which credentials, secrets, or keys must be rotated, and was only GitHub affected or potentially other credentials too?

The malicious payload embedded in both the GitHub Actions and the Open VSX plugins was designed to exfiltrate environment variables and secrets from the execution context of the affected GitHub repository.

Credentials at risk – GitHub Actions (CI/CD):

Any secret configured within the affected GitHub repository or organization and accessible to the workflow at the time the compromised action executed is potentially at risk. This includes, but is not limited to: GITHUB_TOKEN, API keys, cloud provider credentials, database credentials, and Checkmarx API tokens.

Credentials at risk – Developer workstations (Open VSX plugin exposure):

Any credential accessible within the VS Code environment, including those stored in environment variables, configuration files, or tokens used by the IDE, should be treated as potentially at risk.

Credentials requiring rotation:

All GitHub repository secrets in any repository or organization where the compromised actions executed.
Checkmarx API keys and tokens used within the affected pipelines.
Cloud provider credentials (AWS, Azure, GCP) if present as environment variables in affected workflows.
All other API keys, tokens, or passwords configured as GitHub secrets or environment variables in the affected workflows.
On developer workstations: any tokens or secrets stored in VS Code settings, environment variables, or configuration files where the malicious Open VSX plugin was installed and active.

Will Checkmarx provide a formal root-cause analysis (RCA) report?

Checkmarx recognizes that many enterprise customers — particularly those in regulated industries or with formal vendor risk management programs — require a written root-cause analysis or incident statement from strategic suppliers following a supply chain security incident such as this.

Checkmarx is commited to providing material updates, and preparing a post-incident report. While the investigation is still ongoing — including with support from a third-party forensic firm we have engaged — we expect the report to include:

Our findings with respect to the root cause and attack vector exploited by the TeamPCP threat actor, as established by the investigation
A timeline of events from initial compromise through detection and remediation
Findings with respect to affected artifacts and the scope of customer impact, as confirmed by the investigation
The remediation actions taken by Checkmarx
Forward-looking preventive controls to enhance Checkmarx’s security posture

Does this incident affect Checkmarx One SaaS / cloud or scanning engines, and do SaaS-only customers need to take action?

The Checkmarx One SaaS platform, including cloud-hosted scanning engines, the Checkmarx One web application, and associated backend services, do not appear to be affected by this incident.

This incident constitutes a supply-chain compromise targeting specific open-source distribution artifacts (GitHub Actions and Open VSX plugins). It does not represent a breach of Checkmarx’s SaaS infrastructure. It does not appear that the threat actor obtained access to Checkmarx One customer tenants, customer data, scan results, or the platform’s internal systems.

Notwithstanding the above, SaaS customers who utilize the affected GitHub Actions (checkmarx/kics-github-action or checkmarx/ast-github-action) within their own CI/CD pipelines, or whose developers installed plugins sourced from the Open VSX Registry, may be indirectly affected.

We understand the residual risk pertains to the customer’s own CI/CD runner environments and developer workstations on which the malicious code may have executed.

Recommended action for SaaS customers:

If your organization does not use checkmarx/kics-github-action or checkmarx/ast-github-action in its GitHub pipelines and developers do not use Open VSX-sourced plugins, no specific action with respect to the SaaS platform is required. If the affected GitHub Actions are in use, any runner that executed those actions during the affected window should be treated as potentially compromised, and customers should follow the remediation guidance including credential rotation, log review, and runner inspection. We recommend heightened vigilance at this time.

Which versions, tags, and time windows were affected, and which versions are safe now?

Affected versions and tags:

checkmarx/ast-github-action:

3.32 was compromised.
References to @main during the exposure window (March 2026) were compromised.
Any unpinned or floating reference that resolved to a compromised commit during the exposure window should be treated as affected.

checkmarx/kics-github-action:

All versions and tags active on the @main branch during the exposure window (March 2026) were compromised.
Any unpinned or floating reference that resolved during the exposure window should be treated as affected.

Open VSX plugins:

ast-results v2.53.0 was compromised.
cx-dev-assist v1.7.0 was compromised.
Any version of either plugin installed or auto-updated from the Open VSX Registry during the exposure window should be treated as compromised.

Safe versions (post-remediation):

checkmarx/ast-github-action v2.3.33 or later has been confirmed clean.
checkmarx/kics-github-action: pin to a version or commit SHA published following remediation; customers should confirm the specific safe tag with their Checkmarx account team.
Open VSX plugins: reinstall from the official VS Code Marketplace. Current Marketplace versions are confirmed clean.
@main as of the date of remediation references clean code; however, pinning to an explicit version tag or commit SHA is strongly recommended as best practice.

Exposure window:

Malicious artifacts were active during March 2026. The precise commencement date remains under investigation. Any pipeline execution or plugin installation or auto-update occurring during this period should be evaluated for potential exposure.

Is a third party involved in the investigation, what is the investigation timeline, and has/will the incident be reported to regulators or law enforcement?

Yes. We have appointed external breach counsel, and a leading forensics expert to assist with our investigation. We are unable to provide an estimated timeline. At this stage, we are notifying regulators and law enforcement as we deem necessary.