Checkmarx has disclosed that its ongoing investigation tied to the provision chain safety incident has revealed {that a} cybercriminal group printed information associated to the corporate on the darkish internet.
“Primarily based on present proof, we imagine this information originated from Checkmarx’s GitHub repository, and that entry to that repository was facilitated via the preliminary provide chain assault of March 23, 2026,” the Israeli safety firm stated.
It additionally emphasised that the GitHub repository is maintained individually from its buyer manufacturing atmosphere, including that no buyer information is saved within the repository. Checkmarx stated its forensic probe into the incident is ongoing and that it is actively working to confirm the character and scope of the posted information.
Moreover, the corporate stated it has locked down entry to the affected GitHub repository as a part of its incident response efforts.
“If we decide that buyer data was concerned on this incident, we’ll notify clients and all related events instantly,” it stated.
The event comes after the Darkish Internet Informer shared in an X submit that the LAPSUS$ cybercrime group claimed three victims on its information leak website, one among which incorporates Checkmarx. The information, per the itemizing, comprises supply code, worker database, API keys, and MongoDB/MySQL credentials.
Checkmarx suffered a breach late final month following the Trivy provide chain assault, because of which two of its GitHub Actions workflows and two plugins distributed through the Open VSX market had been tampered with to push a credential stealer able to harvesting a variety of developer secrets and techniques. The risk actor often known as TeamPCP claimed duty for the assault.
Final week, the financially motivated group is suspected to have compromised Checkmarx’s KICS Docker picture, together with the 2 VS Code extensions and a GitHub Actions workflow with the same credential-stealing malware. This, in flip, had a cascading influence, resulting in a quick compromise of the Bitwarden CLI npm bundle.
