mal-2026-2231
Vulnerability from ossf_malicious_packages
Published
2026-03-26 06:18
Modified
2026-03-26 06:18
Summary
Malicious code in checkmarx.ast-results (VSCode:https://open-vsx.org)
Details
-= Per source details. Do not edit below this line.=-
Source: google-open-source-security (3205937565e6fad63cbece12a8463cd52f3e95c10ac99ab7e62a317e9c18717a)
This extension is a compromised version of the offical Checkmarx VSCode extensions available on the Microsoft Marketplace, by the TeamPCP threat actor and related to the Trivy campaign.
The extension hunts for sensitive credentials and developer secrets for exfiltration. The extension also downloads a payload from an attacker controlled server. The malicious code will also try and maintain persistence using systemd.
{
"affected": [
{
"package": {
"ecosystem": "VSCode:https://open-vsx.org",
"name": "checkmarx.ast-results"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.58.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.56.0",
"2.53.0",
"2.52.0",
"2.51.0",
"2.50.0",
"2.49.1772192163",
"2.49.1772191521",
"2.49.0",
"2.48.0",
"2.47.0",
"2.46.0",
"2.45.0",
"2.44.0",
"2.43.0",
"2.42.0",
"2.40.0",
"2.39.0",
"2.38.0",
"2.37.0",
"2.36.0",
"2.35.0"
]
}
],
"database_specific": {
"iocs": {
"domains": [
"checkmarx.zone"
]
},
"malicious-packages-origins": [
{
"import_time": "2026-03-26T06:18:48.132467Z",
"modified_time": "2026-03-26T06:18:28Z",
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.58.0"
}
],
"type": "ECOSYSTEM"
}
],
"sha256": "3205937565e6fad63cbece12a8463cd52f3e95c10ac99ab7e62a317e9c18717a",
"source": "google-open-source-security",
"versions": [
"2.56.0",
"2.53.0",
"2.52.0",
"2.51.0",
"2.50.0",
"2.49.1772192163",
"2.49.1772191521",
"2.49.0",
"2.48.0",
"2.47.0",
"2.46.0",
"2.45.0",
"2.44.0",
"2.43.0",
"2.42.0",
"2.40.0",
"2.39.0",
"2.38.0",
"2.37.0",
"2.36.0",
"2.35.0"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (3205937565e6fad63cbece12a8463cd52f3e95c10ac99ab7e62a317e9c18717a)\nThis extension is a compromised version of the offical Checkmarx VSCode extensions\navailable on the Microsoft Marketplace, by the TeamPCP threat actor and related\nto the Trivy campaign.\n\nThe extension hunts for sensitive credentials and developer secrets for\nexfiltration. The extension also downloads a payload from an attacker\ncontrolled server. The malicious code will also try and maintain persistence\nusing systemd.\n",
"id": "MAL-2026-2231",
"modified": "2026-03-26T06:18:28Z",
"published": "2026-03-26T06:18:28Z",
"references": [
{
"type": "REPORT",
"url": "https://checkmarx.com/blog/checkmarx-security-update/"
},
{
"type": "ARTICLE",
"url": "https://www.wiz.io/blog/teampcp-attack-kics-github-action"
},
{
"type": "ARTICLE",
"url": "https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in checkmarx.ast-results (VSCode:https://open-vsx.org)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…