Checkmarx Data Breach: Source Code and Credentials Leaked on Dark Web
In a significant cybersecurity incident, Checkmarx, a leading application security testing firm, has confirmed that sensitive data from its GitHub repository has been published on the dark web. This breach is linked to a supply chain attack that occurred on March 23, 2026, which allowed unauthorized access to the company’s systems.
Background of the Breach
The initial breach was facilitated through a supply chain attack targeting Trivy, an open-source vulnerability scanner. On March 19, 2026, the hacking group known as TeamPCP infiltrated Trivy by embedding an infostealer into the scanner. This malicious code harvested user secrets, cloud credentials, SSH keys, and Kubernetes configuration files. Subsequently, TeamPCP established persistent backdoors on the devices of affected developers, enabling further unauthorized access. ([techradar.com](https://www.techradar.com/pro/security/checkmarx-admits-it-was-hit-by-major-cyberattack-that-saw-data-leaked-onto-dark-web?utm_source=openai))
Leveraging this access, the attackers expanded their reach to other environments, including LiteLLM, Telnyx, and KICS. They also compromised additional Checkmarx tools, GitHub Actions, and two Open VSX plugins. The malware deployed was capable of exfiltrating browser data (such as cookies, autofill information, browsing history, bookmarks, credit card details, and login credentials from browsers like Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including tokens that can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data. It is estimated that over 170,000 individuals may have been at risk due to this attack. ([techradar.com](https://www.techradar.com/pro/security/checkmarx-admits-it-was-hit-by-major-cyberattack-that-saw-data-leaked-onto-dark-web?utm_source=openai))
Confirmation and Response
On April 26, 2026, Checkmarx officially confirmed the breach in a security update. The company stated that the leaked data originated from its GitHub repository, accessed through the initial supply chain attack. Checkmarx emphasized that its GitHub repository is maintained separately from customer production environments and that customer data is not stored in these repositories. The company has locked down access to the affected repository and is conducting a thorough forensic investigation to verify the nature and scope of the posted data. ([checkmarx.com](https://checkmarx.com/blog/checkmarx-security-update-april-26/?utm_source=openai))
Threat Actor Claims
A day before Checkmarx’s official confirmation, the threat group Lapsus$ added Checkmarx to their data leak website, claiming to have exfiltrated source code, API keys, MongoDB and MySQL login credentials, and employee details. Checkmarx has not commented on these specific claims but is actively investigating the extent of the data compromised. ([techradar.com](https://www.techradar.com/pro/security/checkmarx-admits-it-was-hit-by-major-cyberattack-that-saw-data-leaked-onto-dark-web?utm_source=openai))
Implications and Recommendations
This incident underscores the critical importance of securing supply chains and development environments. Supply chain attacks can have far-reaching consequences, as they exploit trusted relationships between organizations and their third-party vendors or tools.
Organizations are advised to:
– Review and Strengthen Supply Chain Security: Regularly assess the security posture of third-party vendors and tools integrated into development processes.
– Implement Least Privilege Access Controls: Ensure that access to repositories and sensitive data is restricted to only those who require it for their roles.
– Monitor for Unauthorized Access: Deploy monitoring solutions to detect unusual activities within development environments and repositories.
– Educate Developers on Security Best Practices: Provide training on recognizing and mitigating potential security threats, including the risks associated with third-party tools.
Checkmarx has committed to providing further updates as their investigation progresses. Customers and partners are encouraged to stay informed through official channels and to reach out to Checkmarx support for any concerns or assistance.
