Key Takeaways
- Checkmarx confirmed that data leaked on the dark web originated from its publicly accessible GitHub repository, not from its production systems.
- The leak is linked to the supply‑chain attack of March 23 2026, which tampered with GitHub Actions workflows, VS Code extensions, and a Docker image to deploy credential‑stealing malware.
- Although the repository contains source code, employee data, API keys, and database credentials, Checkmarx states no customer data is stored there and promises immediate notification if that assessment changes.
- The company has locked down the compromised repository and is conducting an ongoing forensic investigation to determine the full scope and verify the authenticity of the leaked material.
- The threat actors identified include the LAPSUS$ group (which claimed the leak) and TeamPCP, which claimed responsibility for the original supply‑chain compromise and subsequent cascading attacks on related packages.
Background of the Supply‑Chain Incident
On March 23 2026, Checkmarx fell victim to a sophisticated supply‑chain attack that began with the compromise of the Trivy open‑source project. Threat actors injected malicious code into two of Checkmarx’s GitHub Actions workflows and two plugins distributed via the Open VSX marketplace. The altered components were designed to harvest developer secrets—such as API keys, tokens, and credentials—by acting as credential‑stealing malware whenever the workflows ran or the extensions were installed.
Expansion of the Compromise
A week after the initial breach, investigators observed that the same financially motivated group (referred to as TeamPCP) had further tainted Checkmarx’s KICS Docker image, the two VS Code extensions, and an additional GitHub Actions workflow with a similar malicious payload. This secondary infection propagated the stealer to downstream consumers, most notably causing a brief compromise of the Bitwarden CLI npm package when developers pulled the tainted image or installed the corrupted extensions.
Dark‑Web Disclosure and LAPSUS$ Claims
The situation escalated when the Dark Web Informer reported on X that the LAPSUS$ cybercrime group had posted Checkmarx‑related data on its leak site. According to the listing, the exposed information includes source code repositories, an employee database, API keys, and MongoDB/MySQL credentials. Checkmarx responded by stating that, based on current forensic evidence, the data appears to have been exfiltrated from its GitHub repository, which was accessed via the original supply‑chain vector. The company emphasized that the repository is strictly isolated from its customer‑facing production environment, meaning no live customer data resides there.
Checkmarx’s Response and Ongoing Investigation
In reaction to the leak, Checkmarx immediately locked down access to the affected GitHub repository to prevent further unauthorized retrieval. The firm launched a comprehensive forensic probe to ascertain the exact nature, volume, and authenticity of the disclosed data. While the investigation continues, Checkmarx has pledged to notify customers and all relevant stakeholders without delay should any customer information be found to be involved. The company also reiterated its commitment to improving supply‑chain vigilance, including stricter verification of third‑party actions, enhanced monitoring of repository permissions, and tighter integration of secret‑scanning tools within its CI/CD pipelines.
Implications for the Software Supply‑Chain Landscape
The Checkmarx incident underscores the cascading risk inherent in modern software supply chains: a single compromised dependency can infect build pipelines, development tools, and downstream packages, ultimately exposing sensitive credentials and source code. Threat actors such as LAPSUS$ and TeamPCP are increasingly financially motivated, leveraging credential‑stealing malware to monetize stolen secrets via resale or direct exploitation. Organizations must therefore adopt a zero‑trust posture for their development environments, enforce least‑privilege access to repositories and CI/CD systems, continuously scan for malicious code in third‑party components, and maintain robust incident‑response plans that include rapid isolation of compromised assets and transparent communication with affected parties. The Checkmarx case serves as a cautionary tale that even security‑focused vendors are not immune, highlighting the need for industry‑wide collaboration on supply‑chain integrity standards.