Skip to main content
Emerging ThreatsData Breaches

Checkmarx Breach Exposes GitHub Repository Data on Dark Web

Developer workstation with code on screen in a clean, minimalist environment.

"Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026," the Israeli security company said.

How the March 23 Trivy supply chain attack tied to a GitHub repository

Checkmarx says its ongoing forensic investigation links the March 23, 2026, supply chain intrusion — described in company statements as the Trivy supply chain attack — to subsequent access of a Checkmarx GitHub repository. The company emphasized that the GitHub repository is maintained separately from its customer production environment and that "no customer data is stored in the repository." As part of its response, Checkmarx has locked down access to the affected GitHub repository while investigators work to verify the nature and scope of the data published on the dark web.

Dark web posting and the LAPSUS$ claim

The disclosure follows a post by Dark Web Informer on X asserting that the LAPSUS$ cybercrime group had listed Checkmarx among three victims on its data leak site. That listing, according to the post, included items described as source code, an employee database, API keys, and MongoDB/MySQL credentials. Checkmarx’s public statements state the company believes the posted data originated from its GitHub repository, and that the repository access was facilitated by the March 23 supply chain attack.

Credential‑stealing tampering in workflows and Open VSX plugins

Checkmarx reports that the initial breach tampered with two of its GitHub Actions workflows and two plugins distributed via the Open VSX marketplace. Those altered components were used to push a credential stealer capable of harvesting a wide range of developer secrets. The threat actor known as TeamPCP claimed responsibility for the attack; Checkmarx says its forensic probe into the incident is ongoing as it works to verify exactly what data was posted.

KICS Docker image, VS Code extensions, and a cascading impact on Bitwarden CLI

Last week, investigators attributed additional compromises to a financially motivated group: Checkmarx's KICS Docker image, two VS Code extensions, and a GitHub Actions workflow were suspected to have been compromised with similar credential‑stealing malware. That chain of compromises had a cascading effect, the company says, and briefly impacted the Bitwarden CLI npm package.

What this means for security teams, Checkmarx customers, and developers using affected tooling

  • Security teams and technologists: Expect to examine developer tooling and CI/CD workflows for tampering. Checkmarx has already locked the affected GitHub repository and is conducting a forensic probe to verify the scope of posted material.
  • Checkmarx customers and related enterprises: Checkmarx has stated that its repository is separate from customer production environments and that no customer data is stored in the repository; the company also pledged, "If we determine that customer information was involved in this incident, we will notify customers and all relevant parties immediately."
  • Developers and maintainers of tooling (Open VSX, VS Code extensions, Docker images, npm packages): The incident shows that tampering with developer-facing artifacts — GitHub Actions workflows, plugins, Docker images and extensions — was central to delivery of credential‑stealing malware, and those who consume such artifacts should track patch and advisory notices from affected projects and vendors.

Checkmarx’s account lays out a sequence: an initial Trivy supply chain compromise on March 23; tampering of workflows and Open VSX plugins to deliver a credential stealer; a later suspected compromise of the KICS Docker image and VS Code extensions; and a brief, cascading impact to the Bitwarden CLI npm package. The company has acknowledged a dark web posting that purports to include source code, an employee database, API keys and database credentials, and says it is actively working to verify the nature and scope of the posted data.

The immediate steps reported by Checkmarx are concrete: the affected GitHub repository has been locked down, and a forensic investigation continues. The company has committed to notifying customers and "all relevant parties" if customer information is found to be involved. For now, the record centers on code and developer artifacts and on whether those artifacts contained credentials or other secrets that could expand the incident’s impact. The ongoing probe will determine whether the dark web posting contains data beyond what Checkmarx has publicly confirmed.

Source: https://thehackernews.com/2026/04/checkmarx-confirms-github-repository.html