checkmarx-ast-results-extension
Checkmarx AST Results VS Code extension compromised
Malicious versions of the Checkmarx AST Results VS Code extension were published through third-party extension marketplaces during the Checkmarx supply-chain incident. Checkmarx reported an Open VSX malicious version 2.53.0 on March 23, 2026 and later malicious versions 2.63 and 2.66 on April 22, 2026 across Microsoft Marketplace and Open VSX windows.
- Date
- 2026-03-23 to 2026-04-22
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Credential theft
- Cause
- Compromised Account/Credentials
What Was Affected
Package
checkmarx-ast-results-extension
LanguageTypeScript
ComponentPlugin
Artifact typeextension
Domain typepackage host
Domain
open-vsx.org
Repository
marketplace.visualstudio.com/items
Compromised Versions
Incident Context
- Motive
- Credential Theft
- Attribution
- Advanced Persistent Threat
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 30 days
Evidence
Compromised Artifacts
Indicators and Changes
Hashes
sha256:65bd72fcddaf938cefdf55b3323ad29f649a65d4ddd6aea09afa974dfc7f105d
External References
Source Data
Source record: proprietary/checkmarx-ast/meta.yaml