Supply Chain Attack on Checkmarx

Checkmarx, known for its AppSec solutions, has released an update on a recent incident that occurred on March 23, 2026. Attackers compromised GitHub Actions (checkmarx/ast-github-action and checkmarx/kics-github-action), as well as plugins distributed via OpenVSX.

The attack involved force pushing tags, causing official Action versions to point to malicious commits. Most teams trust tags and automatically pull updates into their pipelines without verifying commit hashes. As a result, malicious code could execute directly within CI/CD environments, gaining access to sensitive data such as API keys, tokens, and cloud credentials.

Checkmarx released secure versions of the affected GitHub Actions (ast-github-action v2.3.33 and kics-github-action v2.1.20), and removed the compromised releases. According to the investigation, the attackers gained access to a limited set of internal systems, while critical systems were not affected.

Users are advised to update the affected Actions as soon as possible, review pipeline execution history for suspicious activity, and rotate any secrets that may have been exposed. As a long-term security measure, it is recommended to avoid relying on tags and instead pin dependencies to specific commit hashes.

💬 Discuss