Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack

Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Ravie LakshmananApr 27, 2026 Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data related to the company on the dark web. "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026," the Israeli security company said. It also emphasized that the GitHub repository is maintained separately from its customer production environment, adding that no customer data is stored in the repository. Checkmarx said its forensic probe into the incident is ongoing and that it's actively working to verify the nature and scope of the posted data. Furthermore, the company said it has locked down access to the affected GitHub repository as part of its incident response efforts. "If we determine that customer information was involved in this incident, we will notify customers and all relevant parties immediately," it said. The development comes after the Dark Web Informer shared in an X post that the LAPSUS$ cybercrime group claimed three victims on its data leak site, one of which includes Checkmarx. The data, per the listing, contains source code, employee database, API keys, and MongoDB/MySQL credentials. Checkmarx suffered a breach late last month following the Trivy supply chain attack, as a result of which two of its GitHub Actions workflows and two plugins distributed via the Open VSX marketplace were tampered with to push a credential stealer capable of harvesting a wide range of developer secrets. The threat actor known as TeamPCP claimed responsibility for the attack. Last week, the financially motivated group is suspected to have compromised Checkmarx's KICS Docker image, along with the two VS Code extensions and a GitHub Actions workflow with a similar credential-stealing malware. This, in turn, had a cascading impact, leading to a brief compromise of the Bitwarden CLI npm package. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Credential Theft, cybersecurity, dark web, data breach, DevOps, GitHub, Incident response, Malware, Open Source, Supply Chain Security Trending News Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams The Hidden Security Risks of Shadow AI in Enterprises 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Your MTTD Looks Great. Your Post-Alert Gap Doesn't Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Load More ▼ Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development How to Identify Risky Browser Extensions in Your Organization Automate Alert Triage and Investigations Across Every Threat