Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack

Summary

Checkmarx disclosed that a cybercriminal group published data from its GitHub repository on the dark web following a March 23, 2026 supply chain attack. The LAPSUS$ group claimed responsibility, with the leaked data reportedly containing source code, employee database, API keys, and database credentials. The company emphasized that no customer production data was compromised, as the GitHub repo is maintained separately from customer environments.

Full text

Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Ravie LakshmananApr 27, 2026 Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data related to the company on the dark web. "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026," the Israeli security company said. It also emphasized that the GitHub repository is maintained separately from its customer production environment, adding that no customer data is stored in the repository. Checkmarx said its forensic probe into the incident is ongoing and that it's actively working to verify the nature and scope of the posted data. Furthermore, the company said it has locked down access to the affected GitHub repository as part of its incident response efforts. "If we determine that customer information was involved in this incident, we will notify customers and all relevant parties immediately," it said. The development comes after the Dark Web Informer shared in an X post that the LAPSUS$ cybercrime group claimed three victims on its data leak site, one of which includes Checkmarx. The data, per the listing, contains source code, employee database, API keys, and MongoDB/MySQL credentials. Checkmarx suffered a breach late last month following the Trivy supply chain attack, as a result of which two of its GitHub Actions workflows and two plugins distributed via the Open VSX marketplace were tampered with to push a credential stealer capable of harvesting a wide range of developer secrets. The threat actor known as TeamPCP claimed responsibility for the attack. Last week, the financially motivated group is suspected to have compromised Checkmarx's KICS Docker image, along with the two VS Code extensions and a GitHub Actions workflow with a similar credential-stealing malware. This, in turn, had a cascading impact, leading to a brief compromise of the Bitwarden CLI npm package. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Credential Theft, cybersecurity, dark web, data breach, DevOps, GitHub, Incident response, Malware, Open Source, Supply Chain Security Trending News 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation The Hidden Security Risks of Shadow AI in Enterprises Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

• malware — Credential stealer

Entities