Application security vendor Checkmarx is continuing to investigate a significant software supply chain attack that has reportedly led to internal data being published on a Dark Web leak site. The case illustrates how even security vendors remain exposed to sophisticated attacks that target the software delivery pipeline rather than production environments directly.
Checkmarx data leak: what is known about the Dark Web publication
According to Checkmarx, early findings from the ongoing investigation indicate that the leaked data likely originates from a corporate GitHub repository. The attacker is believed to have gained access as part of an initial supply chain compromise dated 23 March 2026.
The company stresses that this repository is physically and logically separated from customer production environments and does not store client data. Digital forensics teams are currently assessing the type, volume, and sensitivity of the exposed information to clarify exactly what has been compromised.
As an immediate containment measure, access to the affected GitHub repository has been revoked, and access-control and key-management policies are being reviewed. Checkmarx has committed to notifying all impacted customers without delay if any client-related information is confirmed among the leaked materials.
LAPSUS$, TeamPCP and responsibility for the cyber attack
The incident drew additional attention after Dark Web monitoring accounts reported a new listing allegedly associated with the cybercriminal group LAPSUS$, naming Checkmarx as one of three new victims. The post claims the dataset includes source code, an employee database, API keys, and credentials for MongoDB and MySQL.
Independent validation of this claim is currently limited, and Checkmarx has not confirmed the full scope of the stolen data. Ambiguity at this stage is typical for complex breach investigations, where premature disclosure can hinder incident response and remediation efforts.
Separately, responsibility for the original supply chain compromise has been claimed by another threat actor group known as TeamPCP. This group is alleged to have interfered with Checkmarx’s development and software publishing processes, inserting malicious changes into trusted components.
Technical details of the Checkmarx supply chain compromise
The Checkmarx incident is closely tied to a supply chain attack involving Trivy, a widely used open source scanner for containers and cloud infrastructure. Attackers reportedly modified two GitHub Actions workflow files and two extensions published on the Open VSX marketplace.
These altered components covertly delivered a credential stealer — malware designed to harvest developer secrets such as access tokens, passwords, API keys, and sensitive environment variables. With valid credentials, adversaries can pivot laterally across services and infrastructure while appearing as legitimate users.
The same threat actor then appears to have extended the campaign by compromising a Docker image of Checkmarx KICS, two Visual Studio Code extensions, and an additional GitHub Actions workflow with similar spying capabilities. Investigators report that this created a cascade effect, leading to temporary compromise of the Bitwarden CLI npm package, which was part of the broader software supply chain.
Why software supply chain attacks are increasingly dangerous
Unlike traditional intrusions that focus on production systems, supply chain attacks target the development and delivery processes themselves. By compromising build pipelines, repositories, or package registries, attackers can distribute malicious code or tools for data theft as part of legitimate updates.
High-profile incidents such as SolarWinds and the compromise of popular npm and PyPI packages have demonstrated that one poisoned component can affect thousands of downstream organizations. In modern DevOps environments, GitHub Actions, CI/CD platforms, and infrastructure-as-code pipelines often have broad access to secrets and production resources, turning them into attractive targets.
Key DevSecOps measures to strengthen supply chain security
1. Robust secrets management and rotation
Organizations should use dedicated secrets management systems rather than storing passwords, tokens, or API keys in source code or configuration files. Regular key rotation, fine-grained access scopes, and automated revocation of exposed secrets are essential to limit the impact of credential theft.
2. Hardening CI/CD pipelines and GitHub Actions
Security for CI/CD systems should follow the principle of least privilege. This includes minimizing token permissions, isolating workflows, reviewing third-party actions and plugins, and enforcing code signing and artifact integrity checks for container images and build outputs.
3. Continuous monitoring of the software supply chain
Implementing and maintaining an SBOM (Software Bill of Materials) helps teams understand exactly which components and dependencies are in use. Coupled with integrity verification, anomaly detection, and threat intelligence, SBOM data enables rapid assessment and response when a component in the ecosystem is compromised.
4. Transparency, coordinated disclosure and incident response
Fast, transparent sharing of technical details, indicators of compromise (IoCs), and remediation guidance reduces systemic risk for the wider community. Clear incident response plans, tabletop exercises, and collaboration with CERTs and industry peers help organizations contain supply chain attacks more effectively.
The Checkmarx incident underscores that software supply chain security is now a core pillar of modern cybersecurity strategy. Organizations should reassess their DevSecOps practices, tighten control over CI/CD infrastructure, adopt disciplined secrets management, and continuously educate development teams on secure coding and pipeline hygiene. Proactive investment in these areas significantly reduces the likelihood that the next large-scale supply chain breach will originate from their own environment.
