Checkmarx Investigates Dark Web Data Leak After Sophisticated Supply Chain Cyberattack
Israeli application security firm Checkmarx has confirmed that data associated with its internal systems has appeared on the dark web. This revelation follows a sophisticated supply chain cyberattack first detected on March 23, 2026. The ongoing investigation has raised alarms among cybersecurity experts, who caution that the incident could have far-reaching implications for the global developer ecosystem.
Breach Traced to GitHub Repository Access
In a public statement, Checkmarx disclosed that preliminary forensic evidence suggests the leaked data originated from one of its GitHub repositories. Unauthorized access to this repository was facilitated during the earlier supply chain compromise. The firm emphasized that the affected repository operates independently from its production environment, asserting that no customer data is stored within it. However, investigators continue to assess the exact contents and sensitivity of the exposed information.
“As part of our response, we have restricted access to the impacted repository and are continuing a comprehensive forensic analysis,” the company stated. It also noted that any confirmed exposure of customer-related information would trigger immediate notification procedures.
Dark Web Claims Suggest Sensitive Data Exposure
The situation intensified when the cybercrime intelligence account Dark Web Informer reported that the notorious hacking collective LAPSUS$ had listed Checkmarx among its latest victims on a data leak site. According to the listing, the allegedly stolen dataset may include sensitive information, although these claims have not been fully verified by Checkmarx. If authentic, such information could pose significant risks, including unauthorized system access, intellectual property theft, and further downstream attacks.
Supply Chain Attack: A Growing Threat Vector
This breach is emblematic of a broader and increasingly prevalent category of cyberattacks known as supply chain compromises. Attackers reportedly exploited vulnerabilities in third-party tools and development pipelines used by Checkmarx. The initial intrusion has been linked to the compromise of Trivy, an open-source vulnerability scanner, which enabled attackers to manipulate Checkmarx’s development workflows. Specifically, two GitHub Actions workflows and plugins distributed through the Open VSX marketplace were modified to include credential-stealing malware.
This malicious code was capable of harvesting sensitive developer secrets, including access tokens, encryption keys, and environment variables—assets that hold significant value in modern software development environments.
Threat Actors and Expanding Impact
Responsibility for the initial attack has been attributed to a threat group known as TeamPCP. However, the subsequent data leak claims have been tied to LAPSUS$, a financially motivated cybercrime group with a history of high-profile breaches. Further complicating the situation, researchers have identified additional compromises affecting Checkmarx’s KICS Docker image, as well as its Visual Studio Code extensions and GitHub workflows. These components were also reportedly weaponized to distribute similar credential-stealing malware.
The ripple effects of this breach extend beyond Checkmarx itself. In a notable downstream incident, the breach contributed to a temporary compromise of the CLI package for Bitwarden, a widely used password management tool. Although the issue was quickly contained, it underscored the cascading risks inherent in interconnected software supply chains.
Key Details About Lapsus$
LAPSUS$ (also known as Strawberry Tempest or ShinyHunters) is a notorious international cybercrime group active since 2021, recognized for high-profile extortion attacks against major tech firms such as Microsoft, Nvidia, and Samsung. Primarily composed of teenagers based in the UK and Brazil, the group employs social engineering, SIM swapping, and MFA fatigue to gain access.
- Targeted Organizations: LAPSUS$ has attacked large-scale targets across technology, government, healthcare, telecom, and media sectors.
- Methods: The group often focuses on data theft and extortion rather than traditional ransomware, stealing sensitive data and threatening to leak it.
- Techniques: They utilize phone-based social engineering, pay insiders for credentials, and compromise personal email accounts of employees.
- Arrests and Status: Several members were arrested in 2022, including a prominent teenage member from Oxford, UK, who was later given an indefinite hospital order in 2023.
- Impact: They have been linked to breaches of companies like Ubisoft, Okta, and Rockstar Games, causing significant disruption.
Industry-Wide Implications
This incident highlights a critical vulnerability in modern software development: the reliance on third-party tools and automated pipelines. Supply chain attacks are particularly dangerous as they exploit trust relationships. When attackers infiltrate a trusted component, they can potentially reach millions of downstream users.
The Checkmarx case follows a series of similar high-profile incidents in recent years, reinforcing calls for stricter security controls, improved code-signing practices, and enhanced monitoring of development environments.
Ongoing Investigation and Next Steps
Checkmarx has reiterated that its investigation remains active and that it is collaborating with cybersecurity experts to assess the full scope of the breach. The company has implemented containment measures, including revoking credentials and securing affected assets.
Key unanswered questions remain:
- What exact data was exfiltrated?
- Are customer environments truly unaffected?
- Could additional organizations be indirectly impacted?
As the investigation unfolds, the incident serves as a stark reminder of the evolving sophistication of cyber threats and the importance of securing every layer of the software supply chain.
Source: www.linkedin.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
