Checkmarx on Tuesday confirmed that final month’s provide chain assault concentrating on its KICS open supply challenge additionally resulted in information theft.
The compromise was a results of the Trivy provide chain assault and allowed the attackers to hijack dozens of GitHub Motion model tags to reference malware with out seen modifications.
Attributed to the notorious TeamPCP hacking group, the compromise was half of a big marketing campaign concentrating on a number of open supply software program ecosystems for credential and delicate data theft.
Across the similar time that Checkmarx was hit, messages posted by TeamPCP and the notorious Lapsus$ extortion group prompt the 2 risk actors may need partnered for monetization functions.
Over the weekend, one month after the compromise, Lapsus$ added Checkmarx to its Tor-based leak web site, claiming the theft of supply code, worker databases, API keys, and MongoDB and MySQL credentials.
“Present proof signifies that this information originated from Checkmarx’s GitHub repositories, and that entry to these repositories was facilitated by way of the preliminary provide chain assault of March 23, 2026,” Checkmarx mentioned on Tuesday.
The hackers accessed Checkmarx’s GitHub atmosphere utilizing credentials compromised by way of the Trivy hack on March 23 and poisoned two OpenVSX plugins and two GitHub Actions workflows.
The corporate eliminated the malicious packages, revoked and rotated related credentials, and blocked outbound entry to the attacker’s infrastructure.
Regardless of these measures, the attackers both retained or regained entry to the atmosphere, and on April 22, printed a recent spherical of malicious code by poisoning a DockerHub KICS picture, a GitHub motion, a VS Code extension, and a Developer Help extension.
The second Checkmarx incident resulted within the compromise of the Bitwarden command-line interface (CLI) NPM package deal, one of the crucial in style open supply password administration platforms.
The final section within the Checkmarx provide chain assault was the publishing of a 96GB archive containing information that Lapsus$ claims was stolen from the corporate.
“As a part of our investigation into the incident, we recognized that exfiltration of information came about on March 30, 2026,” Checkmarx says.
As a part of its ongoing efforts to treatment the problem, the corporate notified legislation enforcement, retained Mandiant to help with the investigation, carried out a broader credential reset, strengthened security controls, locked down entry to GitHub repositories, and launched a code audit.
“We are actually within the closing phases of our investigation and confirming that the unauthorized entry has been totally contained. We are going to share additional on this as quickly as we’re ready,” Checkmarx says.
