Checkmarx has disclosed that its ongoing investigation tied to the provision chain security incident has revealed {that a} cybercriminal group revealed knowledge associated to the corporate on the darkish net.
“Primarily based on present proof, we consider this knowledge originated from Checkmarx’s GitHub repository, and that entry to that repository was facilitated by way of the preliminary provide chain assault of March 23, 2026,” the Israeli security firm mentioned.
It additionally emphasised that the GitHub repository is maintained individually from its buyer manufacturing surroundings, including that no buyer knowledge is saved within the repository. Checkmarx mentioned its forensic probe into the incident is ongoing and that it is actively working to confirm the character and scope of the posted knowledge.
Moreover, the corporate mentioned it has locked down entry to the affected GitHub repository as a part of its incident response efforts.
“If we decide that buyer info was concerned on this incident, we are going to notify clients and all related events instantly,” it mentioned.
The event comes after the Darkish Internet Informer shared in an X put up that the LAPSUS$ cybercrime group claimed three victims on its knowledge leak web site, certainly one of which incorporates Checkmarx. The information, per the itemizing, comprises supply code, worker database, API keys, and MongoDB/MySQL credentials.
Checkmarx suffered a breach late final month following the Trivy provide chain assault, on account of which two of its GitHub Actions workflows and two plugins distributed by way of the Open VSX market have been tampered with to push a credential stealer able to harvesting a variety of developer secrets and techniques. The risk actor referred to as TeamPCP claimed duty for the assault.
Final week, the financially motivated group is suspected to have compromised Checkmarx’s KICS Docker picture, together with the 2 VS Code extensions and a GitHub Actions workflow with the same credential-stealing malware. This, in flip, had a cascading impression, resulting in a short compromise of the Bitwarden CLI npm package deal.
