"As a result of that access, the attackers were able to interact with Checkmarx’s GitHub environment and subsequently publish malicious code to certain artifacts," the company reported — a concise admission that traces the incident to a series of supply-chain and credential-theft events beginning March 23, 2026 and culminating in a large data publication on April 22.
Checkmarx confirms March 23 GitHub compromise
Application security company Checkmarx has confirmed that the LAPSUS$ threat group published data stolen from a private Checkmarx GitHub repository. Checkmarx said the data that appeared on LAPSUS$'s extortion portal “originated from Checkmarx’s GitHub repository” and that the access was tied to a supply-chain incident on March 23, 2026. The company said its investigation is being conducted “with support from a leading third-party forensic firm.”
Trivy supply-chain attack and TeamPCP supplied the credentials
Checkmarx believes the initial access vector was the Trivy supply‑chain attack attributed to the hacker group known as TeamPCP. According to Checkmarx, that incident “provided access to credentials from downstream users.” Using credentials stolen in the Trivy incident, the attacker accessed Checkmarx’s GitHub repositories and first published malicious code on March 23.
Malicious artifacts published April 22 targeted KICS; credentials and tokens were exfiltrated
Checkmarx reported renewed access or month‑long persistence by the attacker, who on April 22 published malicious Docker images, VSCode and Open VSX extensions for Checkmarx’s KICS security scanner. The company said those malicious artifacts “stole credentials, keys, tokens, and config files.” The March 23 interaction with the GitHub environment and the subsequent April 22 publishing are tied together in Checkmarx’s account as parts of the same compromise chain.
Availability of the leaked dataset and Checkmarx's assurances
BleepingComputer reported that LAPSUS$ made a 96GB data pack available not only on dark‑web portals but also through clearnet locations. BleepingComputer said it had not examined the content of the leaked data. Checkmarx has stated that the company’s GitHub repository does not contain customer information and has assured that, if customer information is discovered in the leaked material, affected individuals will be notified immediately. A forensic investigation remains underway to determine the exact type of data exposed.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The incident links a third‑party supply‑chain compromise (Trivy) to downstream credential reuse and GitHub repository compromise — teams will likely review repository access controls, artifact publishing paths, and the security of extensions and container images that tie into internal tooling.
- Procurement and vendor managers: The chain from a Trivy supply‑chain attack to a Checkmarx breach underscores the need to track downstream credential exposure and to require supply‑chain incident disclosures from tool and dependency vendors.
- End users and customers of Checkmarx: Checkmarx asserts its GitHub repository does not store customer data and has pledged to notify affected individuals if customer information is found; end users should monitor communications from the company and await the results of the ongoing forensic review.
Containment, investigation, and the immediate timeline
Checkmarx said access to the affected GitHub repository has been blocked pending completion of the investigation. The company indicated it expected to be able to share more details “within the next 24 hours.” The firm also characterized the published data as related to Checkmarx and originating from the March 23 compromise.
The record in the company statements and reporting establishes a clear technical chain in the limited facts disclosed: a March 23 compromise of Checkmarx’s GitHub environment tied to credentials exposed through a Trivy supply‑chain event attributed to TeamPCP, followed by malicious publishing on March 23 and a wider set of malicious artifacts released on April 22 that exfiltrated credentials, keys, tokens, and config files. Whether additional sensitive customer data is present remains the central question the ongoing forensic analysis must answer.
Original story: https://www.bleepingcomputer.com/news/security/checkmarx-confirms-lapsus-hackers-leaked-its-stolen-github-data/
