Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data
LAPSUS$ leaks 96GB of Checkmarx data stolen via Trivy supply-chain attack.
Summary
Checkmarx confirmed that LAPSUS$ threat group leaked stolen data from its private GitHub repository, with initial access traced to the Trivy supply-chain attack attributed to TeamPCP. Using credentials harvested from the Trivy incident, attackers accessed Checkmarx's GitHub on March 23 and published malicious Docker images and VSCode extensions for the KICS scanner on April 22. The 96GB data pack was published to both dark web and clearnet portals; Checkmarx stated the leak does not contain customer information but a forensic investigation is ongoing.
Full text
Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data By Bill Toulas April 28, 2026 10:50 AM 0 Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository. Although the investigation is ongoing, Checkmarx believes that the access vector was the Trivy supply-chain attack attributed to the hacker group known as TeamPCP. which provided access to credentials from downstream users. Using stolen credentials obtained from the Trivy incident, the threat actor was able to access Checkmarx's GitHub repositories and publish malicious code on March 23. "As a result of that access, the attackers were able to interact with Checkmarx’s GitHub environment and subsequently publish malicious code to certain artifacts," the company explains. On April 22, as a result of their renewed access or month-long persistence, the attacker published malicious Docker images, VSCode and Open VSX extensions for Checkmarx’s KICS security scanner, which stole credentials, keys, tokens, and config files. In an update yesterday, the company confirmed that the data that the LAPSUS$ group published on their extortion portal belonged to Checkmarx and originated from the March 23 compromise. “Our investigation, conducted with support from a leading third-party forensic firm, indicates that a cybercriminal group has published data related to Checkmarx to the dark web,” reads the update. “Based on current evidence, we believe this data originated from Checkmarx’s GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026.” Although Checkmarx and other media outlets reported that this data was leaked on the dark web, BleepingComputer has found that LAPSUS$ has also made the 96GB data pack available through clearnet portals. Checkmarx data leak on the LAPSUS$ siteSource: BleepingComputer BleepingComputer has not examined the content of the leaked data, but Checkmarx assured that it does not contain customer information, as this is not stored in the company's GitHub repository. A forensic investigation is underway to determine the exact type of data that has been exposed. The company states that, if customer information is found in the leaked data, affected individuals will be notified immediately. Access to the affected GitHub repository has been blocked until the investigation is complete. Checkmarx estimates that it will be able to share more details within the next 24 hours. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Bitwarden CLI npm package compromised to steal developer credentialsCisco source code stolen in Trivy-linked dev environment breachHome security giant ADT data breach affects 5.5 million peopleMedtronic confirms breach after hackers claim 9 million records theftNew Checkmarx supply-chain breach affects KICS analysis tool
Indicators of Compromise
- malware — KICS (malicious extensions)