Checkmarx Security Update: April 22 ← Blog Checkmarx Security Update: April 22 Udi-Yehuda Tamar VP of Platform Engineering and Global CISO Updated: April 22, 2026 8 min. read For All Related Updates: Date Post Link 27-Apr-26 Checkmarx Security Update: April 27 https://checkmarx.com/blog/supply-chain-security-incident-update/ 26-Apr-26 Checkmarx Security Update: April 26 https://checkmarx.com/blog/checkmarx-security-update-april-26/ 22-Apr-26 Checkmarx Security Update: April 22 https://checkmarx.com/blog/checkmarx-security-update-april-22/ 23-Mar-26 Checkmarx Security Update: March 23 https://checkmarx.com/blog/checkmarx-security-update/ What Happened On April 22, we communicated with customers about a new development in the supply chain security incident that our team is actively investigating and addressing. We deeply value the trust you place in Checkmarx and are committed to keeping our customers informed as we continue to respond. As part of our immediate response, we retained outside experts and are working around the clock to get to the bottom of this as quickly as possible. In the interim, we are sharing key findings to-date and recommended actions for our customers to take. Key Findings Notably, our investigation thus far indicates that the malicious artifacts did not override previously published, known safe versions. Customers using versions or SHAs published prior to the affected timeframes are not affected. Affected Artifacts The following artifacts have been identified as potentially affected: Checkmarx public DockerHub KICS image – https://hub.docker.com/r/checkmarx/kics Malicious tags: v2.1.20-debian, v2.1.21-debian, debian, v2.1.21, v2.1.20, alpine, v2.1.20, v2.1.21, latest Malicious SHAs: sha256:222e6bfed0f3b, sha256:9183908decd0f, sha256:a6871deb0480e, sha256:ff7b0f114f87c, sha256:1b01a97753780, sha256:2588a44890263, sha256:54f8a56bf1f71, sha256:d186161ae8e33, sha256:415610a42c5b5, sha256:e35bc6afc4857, sha256:a0d9366f6f016, sha256:903eef3c05f6e, sha256:26e8e9c5e53c9, sha256:7391b531a07fc, sha256:4c963fa00e585 Timeframe: from 2026-04-22 12:31:35.883 UTC to 2026-04-22 12:59:46.562 UTC Checkmarx public ast-github-action – https://github.com/checkmarx/ast-github-action Malicious tags: 2.3.35 Timeframe: from 2026-04-22 14:17:59 UTC to 2026-04-22 15:41:31 UTC Checkmarx VS Code extension Microsoft marketplace: https://marketplace.visualstudio.com/items?itemName=checkmarx.ast-results Open VSX marketplace: https://open-vsx.org/extension/checkmarx/ast-results Malicious tags: 2.63, 2.66 Timeframe – Microsoft marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 17:48:00 UTC Timeframe – Open-VSX marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 21:20:00 UTC Checkmarx Developer Assist extension Microsoft marketplace: https://marketplace.visualstudio.com/items?itemName=checkmarx.cx-dev-assist Open VSX marketplace: https://open-vsx.org/extension/checkmarx/cx-dev-assist Malicious tags: 1.17, 1.19 Timeframe – Microsoft marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 17:48:00 UTC Timeframe – Open-VSX marketplace: From 2026-04-22 13:06:00 UTC to 2026-04-22 21:20:00 UTC Actions We’ve Taken To date, in response to this development we have: Removed the malicious artifacts; Revoked and rotated exposed credentials; Blocked outbound access to attacker-controlled infrastructure; Reviewed our environments for any signs of further compromise. Initiated a forensic investigation with the assistance of an independent, third-party forensic firm. Recommended Actions We recommend that our customers take the following steps as soon as possible: Block access to these domains and IP addresses: checkmarx.cx => 91[.]195[.]240[.]123 audit.checkmarx.cx => 94[.]154[.]172[.]43 Use pinned SHAs and review or disable auto-update settings in IDE marketplaces Rotate secrets and credentials if a compromise is suspected or detected DockerHub KICS image: latest, v2.1.20, alpine, Debian Checkmarx ast-github-action: v2.3.36 Checkmarx VS Code extensions: v2.67.0 Checkmarx Developer Assist extension: v1.18.0 Guidance for CxSAST On-Premise Customers We have received questions from customers running CxSAST on-premise about whether their environments are within the scope of this incident. This communication outlines what is, and is not, in scope for your specific environment (Cx SAST on-premises and CxSAST hosted), and the limited circumstance under which you may need to take action. Scope Summary Based on our investigation to date, the artifacts confirmed as compromised in this incident are externally distributed components associated with Checkmarx One. They are not part of, and are not delivered with, a CxSAST on-premise installation. Specifically: CxSAST on-premise itself was not compromised. The incident affected externally distributed artifacts, not the CxSAST product or its installer. Checkmarx One (SaaS) infrastructure has not been identified as compromised. We mention this for completeness, as customer questions often span both deployment models. The compromised GitHub Actions ( checkmarx/ast-github-action and checkmarx/kics-github-action ) are used to invoke Checkmarx One scans from CI/CD pipelines. They are not used by CxSAST on-premise customers in that role. The compromised VS Code extensions ( checkmarx.ast-results and checkmarx.cx-dev-assist ) are the Checkmarx One IDE integrations. The CxSAST on-premise IDE plugin is a separate component and was not affected. Although CxSAST on-premise is out of scope for the compromised artifacts, an incident of this nature warrants standard security vigilance regardless of deployment model. Below we outline the specific conditions that would require a CxSAST on-premise customer to take action as a result of this incident. Action Required If Applicable If your organization independently uses the open-source KICS scanner — specifically by pulling the public KICS image from Docker Hub ( hub.docker.com/r/checkmarx/kics ) outside of any CxSAST or Checkmarx One workflow — we recommend further action if the image was pulled during the affected time window. This image is distinct from the CxSAST product and from the IaC scanning capability built into Checkmarx One. The compromised KICS image was present on Docker Hub during the following window: From 2026-04-22 12:31:35 UTC to 2026-04-22 12:59:46 UTC. If you did not pull from Docker Hub during this window, you do not need to take further action. If you did, or are uncertain, please verify the image SHA against the list of malicious SHAs in our public advisory and treat any match as a potential compromise of the host that pulled the image and take further action as appropriate. Precautionary Actions for All Customers For most CxSAST on-premise customers, no product-level remediation is required. As precautionary measures aligned with the broader incident, we recommend: Block outbound access at the network perimeter to: checkmarx.cx (91.195.240.123), audit.checkmarx.cx (94.154.172.43), updates.checkmarx.cx (94.154.172.183), and checkmarx.zone (associated with the March 23 round). If your developers use VS Code, confirm that any installed Checkmarx extensions are sourced from the official Microsoft VS Code Marketplace and are current safe versions ( ast-results v2.67.0 and Developer Assist v1.18.0 or v1.20.0). Consider temporarily disabling auto-update on these extensions until the investigation is closed. Review CI/CD logs and developer workstation telemetry for outbound connections to any of the domains and IPs above during the affected windows. Where to Go for Help For environment-specific questions, please open a Support case via the Support Portal at support.checkmarx.com . We will continue to update this page as our investigation progresses. Next Steps This is an ongoing investigation. Please continue to monitor the Checkmarx Community Incident Page for more information. If you have questions about this development, please open a case via the Support Portal. We are grateful for your continued support and patience as we work to address this incident. Tags: Checkmarx Security Update

📌 来源: Checkmarx | 📅 2026-04-22