checkmarx-developer-assist-extension

Incident Summary

Checkmarx Developer Assist VS Code extension compromised

Malicious versions of the Checkmarx Developer Assist VS Code extension were published during the Checkmarx supply-chain incident. Checkmarx reported an Open VSX malicious version 1.7.0 on March 23, 2026 and later malicious versions 1.17 and 1.19 on April 22, 2026 across Microsoft Marketplace and Open VSX windows.

Date: 2026-03-23 to 2026-04-22
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Credential theft
Cause: Compromised Account/Credentials

What Was Affected

Package checkmarx-developer-assist-extension

LanguageTypeScript

ComponentPlugin

Artifact typeextension

Domain typepackage host

Domain open-vsx.org

Repository marketplace.visualstudio.com/items

Compromised Versions

Incident Context

Motive: Credential Theft
Attribution: Advanced Persistent Threat
Transitive: Yes
User Impact: 0
Observed Duration: 30 days

Evidence

Compromised Artifacts

Indicators and Changes

Hashes

sha256:744c9d61b66bcd2bb5474d9afeee6c00bb7e0cd32535781da188b80eb59383e0

External References

Source Data

Source record: proprietary/checkmarx-ast/meta.yaml