What began as a supply chain disruption has evolved into a major data leak. Checkmarx, a global leader in application security testing (AST), has confirmed that internal company data—including proprietary source code—has been published to the dark web by the cybercriminal group LAPSUS$. +1
This leak is the “third act” of an incident that began on March 23, 2026. Initially, the breach involved the poisoning of development tools like KICS and GitHub Actions. However, new forensic evidence confirms that the attackers successfully pivoted from these poisoned tools to infiltrate Checkmarx’s own internal GitHub environment. +1
The Attack Vector: The “Trivy” Domino Effect
The breach did not happen in a vacuum. It was part of a coordinated campaign by a threat actor known as TeamPCP, who initially exploited the Trivy vulnerability scanner. +1
By injecting credential-stealing malware into security scanners and VS Code extensions, the attackers harvested GitHub Personal Access Tokens (PATs) from Checkmarx developers. These stolen tokens acted as “master keys,” allowing the group to bypass standard security controls and clone private repositories without triggering traditional perimeter alarms.
What Data Was Exposed?
On April 25, 2026, the LAPSUS$ group posted a data dump stamped with a March 30 exfiltration date. According to dark web monitors and Checkmarx’s own forensic team (supported by Mandiant), the leaked files reportedly include:
- Proprietary Source Code: Core logic for various Checkmarx scanning engines.
- Internal Infrastructure Details: Technical documentation regarding internal network architecture.
- Employee Database: Contact information and internal directory details.
- Secrets & Credentials: API keys and credentials for MongoDB and MySQL databases used in development.
Containment: Isolating the Developer Environment
Upon discovering the dark web leak, Checkmarx immediately transitioned to a “Lockdown” phase.
Key Containment Actions:
- Repository Isolation: Access to the affected GitHub repositories was completely severed. This prevents the attackers from pushing further malicious code or maintaining persistence.
- Global Secret Rotation: Checkmarx has initiated a wide-scale rotation of all credentials, including SSH keys, cloud service tokens, and GitHub PATs.
- Code Audit: A line-by-line audit is underway to ensure no “logic bombs” or backdoors were left behind in the source code before the repositories were locked.
The “Safety Barrier”: Is Customer Data Safe?
One of the most critical questions in any security vendor breach is whether the “security of the product” has been compromised. Checkmarx has issued strong reassurances based on their segmentation architecture.
Why the Risk to Customers is Low:
- Environment Separation: Checkmarx maintains its development GitHub environment entirely separate from its customer-facing production servers.
- No Data Overlap: Corporate policy strictly prohibits the storage of any customer PII (Personally Identifiable Information) or production database backups within GitHub repositories.
- Artifact Sanitization: Checkmarx has already released “clean” versions of its GitHub Actions and VS Code plugins (e.g., ast-github-action v2.3.33).
Next Steps for Checkmarx Users
While customer data appears safe, the “cascading” nature of supply chain attacks requires a proactive defense.
- Audit Your CI/CD Pipelines: If your team used the Checkmarx AST or KICS GitHub Actions between March 23 and April 22, 2026, you must rotate any secrets that were accessible to those runners.
- Update All Plugins: Ensure all developers are using the latest verified versions of Checkmarx extensions from the Open VSX marketplace or GitHub.
- Monitor for Identity Theft: Given the leak of employee data, be alert for sophisticated BEC (Business Email Compromise) attacks targeting Checkmarx staff or their contacts.
Conclusion: The Hunter Becomes the Hunted
The Checkmarx incident is a sobering reminder that security companies are high-value targets. By compromising the tools that developers trust to find vulnerabilities, threat actors can achieve unprecedented reach. Checkmarx’s transparency in this incident provides a roadmap for other firms: isolate, rotate, and communicate.
