Checkmarx has reported a supply chain security incident affecting several of its products, including DockerHub KICS images, GitHub actions, and VS Code extensions. The company is actively investigating the issue and has engaged external experts to assist in the response. Customers have been informed of the situation and advised on immediate actions to mitigate potential risks.

The investigation has revealed that the malicious artifacts did not override previously published, known safe versions. This means that customers using versions or SHAs published before the affected timeframes are not impacted. However, specific versions and tags have been identified as potentially compromised, including certain DockerHub KICS images and Checkmarx GitHub actions.

The affected artifacts include malicious tags and SHAs for the Checkmarx public DockerHub KICS image and the Checkmarx public ast-github-action. Additionally, certain versions of the Checkmarx VS Code extension and Developer Assist extension are under scrutiny, with timeframes for these still to be confirmed. The company has taken steps to remove the malicious artifacts, revoke exposed credentials, and block access to attacker-controlled infrastructure.

Checkmarx recommends that customers block access to specific domains and IP addresses associated with the incident. They should also use pinned SHAs, review or disable auto-update settings in IDE marketplaces, and rotate secrets and credentials if a compromise is suspected. Customers are advised to use only known safe versions of the affected products.

The investigation is ongoing, and Checkmarx urges customers to monitor their Community Incident Page for updates. For any questions or further assistance, customers are encouraged to contact Checkmarx through their Support Portal. The company appreciates the support and patience of its customers as it works to resolve the incident.

Source: https://checkmarx.com/blog/checkmarx-security-update-april-22/