×
google news
News
Real Time

Checkmarx Cybersecurity Incident: Timeline, Impact, and Response

Share on FacebookTweet

Checkmarx reveals details of a cybersecurity supply chain incident affecting developer tools. Learn about the timeline, impact, and measures taken to secure the environment.

Checkmarx Cybersecurity Incident: Timeline, Impact, and Response

Checkmarx, a leading provider of application security solutions, has disclosed a cybersecurity supply chain incident that compromised certain developer artifacts distributed through third-party channels. The breach, which began in March 2026, involved unauthorized access to Checkmarx’s GitHub repositories, leading to the publication of malicious code in various artifacts, including VS Code extensions, GitHub Actions workflows, and a Jenkins plugin.

The incident underscores the growing risks associated with supply chain attackswhere cybercriminals exploit trusted relationships to infiltrate systems. Checkmarx has been working diligently with external forensic specialists, including Mandiant, to investigate and remediate the breach. The company has taken significant steps to secure its environment and prevent future incidents.

Timeline of the Incident

The incident unfolded over several weeks, with key events occurring in March and April 2026. Here’s a detailed timeline of the breach and Checkmarx’s response:

March 23, 2026: Initial Compromise

On March 23, 2026, Checkmarx identified that attackers had gained unauthorized access to its GitHub repositories.

This access was facilitated by the Trivy Supply Chain Attackwhich occurred on March 19, 2026. The attackers used stolen credentials to publish malicious code to various artifacts, including GitHub Actions and VS Code extensions.

April 22, 2026: Second Wave of Attacks

A second wave of malicious artifacts was published on April 22, 2026, indicating that the attackers had maintained or regained access to Checkmarx’s environment. This wave included a compromised KICS Docker image, updated VS Code and DevAssist extensions, and additional GitHub Actions.

April 25, 2026: Dark Web Leak

On April 25, 2026, a cybercriminal group published data to the dark web that originated from Checkmarx’s GitHub repositories. The data exfiltration had occurred on March 30, 2026, using compromised credentials from the initial attack.

May 9, 2026: Jenkins Plugin Compromise

The attackers leveraged their access to modify the Jenkins AST plugin and publish a compromised version to the Jenkins Marketplace on May 9, 2026. This plugin targeted file paths for common applications, including crypto wallets, VPNs, AWS, and GitHub, to search for credentials.

Actions Taken by Checkmarx

Since the onset of the incident, Checkmarx has implemented a comprehensive response to mitigate the breach and enhance its security posture. Key actions include:

  • Removal of Malicious ArtifactsCheckmarx removed all compromised artifacts and published clean, verified replacements across affected channels.
  • Credential RotationThe company rotated and revoked exposed credentials, with ongoing validation and follow-up rotations as the investigation progresses.
  • Access RestrictionsOutbound access to attacker-controlled infrastructure was blocked, and access to affected GitHub repositories was locked down.
  • Enhanced Security ControlsAdditional security tools and access restrictions were implemented within the development environment.
  • Engagement of Law EnforcementCheckmarx engaged law enforcement and notified relevant authorities about the incident.
  • Retention of MandiantThe company retained Mandiant, a leading incident response and digital forensics firm, to bolster its investigation and remediation efforts.
  • Code AuditA thorough code audit was conducted to ensure no further malicious code was present beyond the identified findings.

Checkmarx is now in the final stages of its investigation, with Mandiant confirming that the AWS production environment and Checkmarx One SaaS environment were not impacted. The last evidence of threat actor activity within the Checkmarx environment occurred on April 22, 2026.

Recommendations for Customers

Checkmarx has provided several recommendations for customers to protect themselves from potential risks associated with the incident. These include:

  • Pin to Specific SHAsCustomers are advised to pin to specific SHAs rather than mutable tags to ensure they are using verified versions.
  • Disable Auto-UpdateDisabling auto-update on IDE extensions can prevent the installation of compromised versions.
  • Scan Images at Pull TimeScanning images at pull time and validating signatures can help identify malicious artifacts.
  • Restrict Egress from CI RunnersRestricting egress from CI runners to an allowlist and monitoring outbound connections for unexpected domains can enhance security.
  • Treat CI Runner Credentials as Short-LivedTreating CI runner credentials as short-lived and tightly scoped can minimize the risk of credential theft.

Checkmarx continues to work with Mandiant to finalize its investigation and implement additional security measures. The company remains committed to transparency and will provide further updates as new information becomes available.


Contacts:
Henry Anderson

Henry Anderson of Edinburgh, sharp-corporate in demeanour, famously argued to run a council budget deep-dive after a packed Holyrood briefing, choosing public-accountability over easy headlines. Prefers evidence-led interrogation of institutions and collects annotated maps of the Lothians as a private quirk.

Copyright © 2026 | NewHub.co.uk - Published in UK by AdHub Media - All Rights Reserved.
Contact us - Cookie Policy - Privacy Policy - Legal notes - Data processing
All content is produced through a hybrid approach, combining proprietary Artificial Intelligence technology and independent creators.