Checkmarx has revealed that an ongoing investigation related to a supply chain security incident has revealed that a cybercriminal group had published data related to the company on the dark web.
“Based on current evidence, we believe this data comes from Checkmarx’s GitHub repository and that access to that repository was facilitated by the initial supply chain attack on March 23, 2026,” the Israeli security firm said.
It also emphasized that GitHub repositories are maintained separately from customers’ production environments, adding that no customer data is stored in the repositories. Checkmarks said a forensic investigation into this incident is ongoing and it is actively working to verify the nature and scope of the data posted.
Additionally, the company said it has locked down access to the affected GitHub repositories as part of its incident response.
“If we determine that customer information is involved in this incident, we will immediately notify customers and all parties involved.”
This development came after a dark web informant shared in an X post that the LAPSUS$ cybercrime group claimed three victims on the data breach site, one of which included Checkmarx. According to the listing, the data includes source code, employee database, API keys, and MongoDB/MySQL credentials.
Checkmarx was compromised late last month following the Trivy supply chain attack. As a result, two GitHub Actions workflows and two plugins distributed via the Open VSX marketplace were modified to push a credential stealer that could collect a wide range of developer secrets. An attacker known as TeamPCP claimed responsibility for the attack.
Last week, the financially motivated group allegedly used similar credential-stealing malware to compromise Checkmarx’s KICS Docker image, two VS Code extensions, and GitHub Actions workflows. This had a knock-on effect, leading to a brief compromise of the Bitwarden CLI npm package.
Source link
