Development teams that ran Checkmarx security tooling between March 23 and April 22, 2026, may have inadvertently executed attacker-controlled code inside their own software build environments, creating a path for credentials, source code, and secrets to be stolen from their organizations. If compromised credentials were used to access internal systems or cloud environments, the downstream impact extends beyond the Checkmarx incident itself into the organization's own software supply chain and customer-facing products. Organizations in regulated industries whose development pipelines touched the affected tooling face potential compliance exposure if customer or sensitive data passed through those environments.
You Are Affected If
You ran Checkmarx KICS Docker images pulled after March 23, 2026, without digest pinning to a pre-compromise image version
Your CI/CD pipelines used Checkmarx GitHub Actions workflows executed between March 23 and April 22, 2026
Developers in your organization installed VS Code extensions sourced from Open VSX during the exposure window
Your environment installed the Bitwarden CLI via npm and the installed version has not been verified against known-good package hashes
API keys, database credentials, or private keys were present in environment variables or secrets stores accessible to the affected pipeline components during the exposure window
Board Talking Points
Attackers compromised the security scanning tools Checkmarx provides to development teams, turning those tools into a channel for stealing credentials and source code from any organization that ran them between March 23 and April 22, 2026.
Development and security teams should audit all pipeline activity from that window this week, rotate any exposed credentials immediately, and verify no malicious code was introduced into internally developed software.
Organizations that do not act risk persistent attacker access through stolen credentials, potential exposure of proprietary source code, and downstream compromise of their own software products.
SOC 2 — development pipelines processing customer data or secrets may have been exposed through compromised CI/CD tooling, implicating availability and confidentiality trust service criteria
PCI-DSS — if payment processing application build pipelines executed affected Checkmarx components, code integrity and secrets management controls under Requirement 6 and Requirement 8 are directly implicated
GDPR / applicable data protection law — organizations whose software development pipelines handle personal data and were compromised face potential obligation to assess whether a reportable breach occurred
