Checkmarx Confirms Data Stolen in Supply Chain Attack

Checkmarx on Tuesday confirmed that last month’s supply chain attack targeting its KICS open source project also resulted in data theft. The compromise was a result of the Trivy supply chain attack and allowed the attackers to hijack dozens of GitHub Action version tags to reference malware without visible changes. Attributed to the infamous TeamPCP hacking group, the compromise was part of a large campaign targeting multiple open source software ecosystems for credential and sensitive information theft. Around the same time that Checkmarx was hit, messages posted by TeamPCP and the infamous Lapsus$ extortion group suggested the two threat actors might have partnered for monetization purposes. Over the weekend, one month after the compromise, Lapsus$ added Checkmarx to its Tor-based leak site, claiming the theft of source code, employee databases, API keys, and MongoDB and MySQL credentials. “Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2026,” Checkmarx said on Tuesday. The hackers accessed Checkmarx’s GitHub environment using credentials compromised via the Trivy hack on March 23 and poisoned two OpenVSX plugins and two GitHub Actions workflows. The company removed the malicious packages, revoked and rotated relevant credentials, and blocked outbound access to the attacker’s infrastructure. Despite these measures, the attackers either retained or regained access to the environment, and on April 22, published a fresh round of malicious code by poisoning a DockerHub KICS image, a GitHub action, a VS Code extension, and a Developer Assist extension. The second Checkmarx incident resulted in the compromise of the Bitwarden command-line interface (CLI) NPM package, one of the most popular open source password management platforms. The last phase in the Checkmarx supply chain attack was the publishing of a 96GB archive containing data that Lapsus$ claims was stolen from the company. “As part of our investigation into the incident, we identified that exfiltration of data took place on March 30, 2026,” Checkmarx says. As part of its ongoing efforts to remedy the issue, the company notified law enforcement, retained Mandiant to assist with the investigation, performed a broader credential reset, strengthened security controls, locked down access to GitHub repositories, and launched a code audit. “We are now in the final stages of our investigation and confirming that the unauthorized access has been fully contained. We will share further on this as soon as we are able,” Checkmarx says. Related: Vimeo Confirms User and Customer Data Breach Related: Luxury Cosmetics Giant Rituals Discloses Data Breach Related: Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000 Related: Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Alleged Chinese State Hacker Extradited to US Dozens of Open VSX Extension Clones Linked to GlassWorm Malware No Patch for New PhantomRPC Privilege Escalation Technique in Windows Spectrum Security Emerges From Stealth Mode With $19 Million Incomplete Windows Patch Opens Door to Zero-Click Attacks OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Years UNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ Malware Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access Latest News Hundreds of Internet-Facing VNC Servers Expose ICS/OT Iranian Cyber Group Handala Targets US Troops in Bahrain 38 Vulnerabilities Found in OpenEMR Medical Software Chrome 147, Firefox 150 Security Updates Rolling Out Critical GitHub Vulnerability Exposed Millions of Repositories Cyber Insurance Data Gives CISOs New Ammo for Budget Talks Vimeo Confirms User and Customer Data Breach The Mythos Moment: Enterprises Must Fight Agents with Agents Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move MongoDB has appointed Doug Bowers as Chief Information Security Officer. Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA. Cato Networks has appointed Meital Koren as Chief Legal Officer. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense In The Age Of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Email