Full Report
Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data related to the company on the dark web. "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026,
Analysis Summary
# Incident Report: Checkmarx GitHub Repository Breach and Data Leak
## Executive Summary
Checkmarx confirmed that data stolen from its GitHub repository was published on the dark web following a multi-stage supply chain attack. The breach originated from a compromised GitHub Actions workflow in March 2026, which allowed attackers to exfiltrate source code, credentials, and internal databases. While internal source code was leaked, Checkmarx reports that customer production environments remain unaffected.
## Incident Details
- **Discovery Date:** April 26, 2026 (Dark web publication discovery)
- **Incident Date:** March 23, 2026 (Initial compromise)
- **Affected Organization:** Checkmarx
- **Sector:** Cybersecurity / Software Development
- **Geography:** Israel (Global impact via supply chain)
## Timeline of Events
### Initial Access
- **Date/Time:** March 23, 2026
- **Vector:** Supply Chain Compromise (Trivy attack)
- **Details:** Attackers exploited the Trivy supply chain to compromise two of Checkmarx’s GitHub Actions workflows and two plugins on the Open VSX marketplace.
### Lateral Movement
- **Details:** Using a credential stealer deployed via the compromised workflows, the threat actors harvested developer secrets and API keys, enabling moving from the automated build environment to the company's private GitHub repositories.
### Data Exfiltration/Impact
- **Details:** Cybercriminal group LAPSUS$ posted stolen data including Checkmarx source code, an employee database, API keys, and credentials for MongoDB and MySQL. This also led to secondary compromises of KICS Docker images and the Bitwarden CLI npm package.
### Detection & Response
- **Discovery:** Monitoring of dark web leak sites and external reports from "Dark Web Informer."
- **Response Actions:** Checkmarx launched a forensic investigation, locked down the affected GitHub repository, and began verifying the scope of the leaked data.
## Attack Methodology
- **Initial Access:** Supply chain attack targeting upstream dependencies (Trivy).
- **Persistence:** Malicious GitHub Actions workflows and compromised VS Code extensions.
- **Privilege Escalation:** Not explicitly detailed, but likely achieved via administrative API keys harvested from the environment.
- **Defense Evasion:** Use of legitimate plugins and marketplace distribution channels to bypass standard security filters.
- **Credential Access:** Deployment of a specialized credential stealer targeting developer secrets.
- **Discovery:** Automated harvesting of environment variables and secrets within GitHub Actions.
- **Lateral Movement:** Misuse of stolen API keys and credentials to access internal repositories.
- **Collection:** Gathering of internal source code and employee databases.
- **Exfiltration:** Data transferred to attacker-controlled infrastructure and later posted to LAPSUS$ leak sites.
- **Impact:** Exposure of proprietary source code and downstream compromise of customer-facing tools (Docker images/NPM packages).
## Impact Assessment
- **Financial:** Costs associated with forensic investigation and remediation (unspecified).
- **Data Breach:** Source code, employee records, API keys, and database credentials (MySQL/MongoDB).
- **Operational:** Disruption to development pipelines; necessitated the teardown and re-deployment of various Docker images and extensions.
- **Reputational:** High; as a security firm, the breach of its own GitHub repository and subsequent leak impacts brand trust.
## Indicators of Compromise
- **Network indicators:** Connections to unauthorized credential-harvesting endpoints (Specific IPs defanged: hxxps[://]checkmarx[.]com/blog/checkmarx-security-update-april-26/).
- **File indicators:** Tampered "Trivy" GitHub Actions; compromised "KICS" Docker images; malicious VS Code extensions on Open VSX.
- **Behavioral indicators:** Unusual credential usage by GitHub Actions service accounts; unexpected data egress from GitHub repositories.
## Response Actions
- **Containment:** Locked down all access to the affected GitHub repositories.
- **Eradication:** Removed malicious code from VS Code extensions and GitHub Action workflows.
- **Recovery:** Re-imaging/re-issuing of KICS Docker images and coordination with Bitwarden to secure the CLI npm package.
- **Notification:** Committed to notifying affected customers if customer-specific data is found in the leak.
## Lessons Learned
- **Dependency Vulnerability:** Even security companies are susceptible to deep supply chain attacks (Trivy) that target the build pipeline rather than the product itself.
- **Secret Management:** The inclusion of API keys and database credentials in repositories remains a critical failure point that facilitates lateral movement.
- **Separation of Environments:** Maintaining GitHub repositories separate from customer production environments successfully limited the "blast radius" of the breach.
## Recommendations
- **Rotate All Secrets:** Immediately rotate all API keys, database credentials, and service tokens stored in or accessible by GitHub Actions.
- **Implement Secrets Scanning:** Deploy automated tools to prevent the accidental commit of secrets into repositories.
- **Code Signing:** Ensure all distributed plugins and Docker images are cryptographically signed to detect unauthorized tampering in the supply chain.
- **Zero Trust Build Pipelines:** Limit the permissions of GitHub Actions to the absolute minimum required for the specific task.