Checkmarx Confirms Data Stolen in Supply Chain Attack

Summary

Checkmarx disclosed that a March 2026 supply chain attack on its KICS open source project and related ecosystems resulted in the exfiltration of source code, employee databases, API keys, and database credentials. The compromise, attributed to TeamPCP and partnered with extortion group Lapsus$, involved hijacking GitHub Actions and poisoning multiple distribution channels including DockerHub, VS Code extensions, and NPM packages. Data exfiltration occurred on March 30, with a 96GB archive later published on Lapsus$'s leak site; Checkmarx engaged Mandiant and law enforcement in response.

Full text

Checkmarx on Tuesday confirmed that last month’s supply chain attack targeting its KICS open source project also resulted in data theft. The compromise was a result of the Trivy supply chain attack and allowed the attackers to hijack dozens of GitHub Action version tags to reference malware without visible changes. Attributed to the infamous TeamPCP hacking group, the compromise was part of a large campaign targeting multiple open source software ecosystems for credential and sensitive information theft. Around the same time that Checkmarx was hit, messages posted by TeamPCP and the infamous Lapsus$ extortion group suggested the two threat actors might have partnered for monetization purposes. Over the weekend, one month after the compromise, Lapsus$ added Checkmarx to its Tor-based leak site, claiming the theft of source code, employee databases, API keys, and MongoDB and MySQL credentials. “Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2026,” Checkmarx said on Tuesday.Advertisement. Scroll to continue reading. The hackers accessed Checkmarx’s GitHub environment using credentials compromised via the Trivy hack on March 23 and poisoned two OpenVSX plugins and two GitHub Actions workflows. The company removed the malicious packages, revoked and rotated relevant credentials, and blocked outbound access to the attacker’s infrastructure. Despite these measures, the attackers either retained or regained access to the environment, and on April 22, published a fresh round of malicious code by poisoning a DockerHub KICS image, a GitHub action, a VS Code extension, and a Developer Assist extension. The second Checkmarx incident resulted in the compromise of the Bitwarden command-line interface (CLI) NPM package, one of the most popular open source password management platforms. The last phase in the Checkmarx supply chain attack was the publishing of a 96GB archive containing data that Lapsus$ claims was stolen from the company. “As part of our investigation into the incident, we identified that exfiltration of data took place on March 30, 2026,” Checkmarx says. As part of its ongoing efforts to remedy the issue, the company notified law enforcement, retained Mandiant to assist with the investigation, performed a broader credential reset, strengthened security controls, locked down access to GitHub repositories, and launched a code audit. “We are now in the final stages of our investigation and confirming that the unauthorized access has been fully contained. We will share further on this as soon as we are able,” Checkmarx says. Related: Vimeo Confirms User and Customer Data Breach Related: Luxury Cosmetics Giant Rituals Discloses Data Breach Related: Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000 Related: Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Alleged Chinese State Hacker Extradited to USDozens of Open VSX Extension Clones Linked to GlassWorm MalwareNo Patch for New PhantomRPC Privilege Escalation Technique in WindowsSpectrum Security Emerges From Stealth Mode With $19 MillionIncomplete Windows Patch Opens Door to Zero-Click AttacksOpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsUNC6692 Uses Email Bombing, Social Engineering to Deploy ‘Snow’ MalwareEasily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root Access Latest News Iranian Cyber Group Handala Targets US Troops in Bahrain38 Vulnerabilities Found in OpenEMR Medical SoftwareChrome 147, Firefox 150 Security Updates Rolling OutCritical GitHub Vulnerability Exposed Millions of RepositoriesCyber Insurance Data Gives CISOs New Ammo for Budget TalksVimeo Confirms User and Customer Data BreachThe Mythos Moment: Enterprises Must Fight Agents with AgentsWebinar Today: A Step-by-Step Approach to AI Governance Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveMongoDB has appointed Doug Bowers as Chief Information Security Officer.Ben Wilkens has been promoted to Director of Cybersecurity at NMFTA.Cato Networks has appointed Meital Koren as Chief Legal Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — TeamPCP
• malware — Trivy supply chain attack

Entities