Checkmarx Alert: Malicious Plugins and GitHub Actions Hit OpenVSX in New Supply Chain Attack

Today, security firm Checkmarx has identified a recent supply chain security incident. The breach involved the publication of malicious versions of two popular security plugins to the OpenVSX registry, targeting developers who use Visual Studio Code-compatible environments.

While the firm is “not aware of any impact to customer data or production environments,” the incident highlights how quickly attackers can infiltrate trusted distribution channels.

On March 23, 2026, at approximately 02:53 UTC, attackers successfully published compromised versions of the Checkmarx AST Results and Checkmarx CxDevAssist plugins.

Organizations are potentially impacted only if they downloaded and ran the following specific artifacts from OpenVSX on that day between 02:53 UTC and 15:41 UTC:

• ast-results-2.53.0.vsix
• cx-dev-assist-1.7.0.vsix

Importantly, Checkmarx noted that “plugins downloaded from the VS Code Marketplace were not affected,” as the breach was isolated to the OpenVSX registry.

The attack didn’t stop at IDE plugins. Later that same day, an issue was also identified in the KICS (Keeping Infrastructure as Code Secure) GitHub Action.

Between 12:58 and 16:50 UTC, the GitHub Action distribution was briefly compromised. However, the project maintainers “acted immediately revoking the affected tags, securing access, and preventing unauthorized changes,” fully resolving the issue by 19:24 UTC. Developers can take comfort in knowing that “Checkmarx KICS itself remains secure and unaffected”.

Checkmarx has already released clean, updated versions of the impacted plugins. To ensure your environment is safe, verify that you are using:

• checkmarx.cx-dev-assist: Version 1.10.0 and above.
• checkmarx.ast-results: Version 2.56.0 and above.

If you believe your CI/CD runners or local environments utilized the malicious versions during the affected period, Checkmarx “strongly recommend following these precautionary steps”:

1. Rotate All Secrets: This includes any credentials accessible to CI runners, such as GitHub Personal Access Tokens (PATs), cloud service credentials, and repository-level secrets.
2. Audit GitHub Actions: Search your logs for suspicious indicators such as references to tpcp.tar.gz, aquasecurity, or checkmarx.zone.
3. Check for Shadow Repositories: Be on the lookout for unexpected repositories like tpcp-docs within your organization.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy