Full Report
Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository. [...]
Analysis Summary
# Incident Report: Checkmarx GitHub Data Leak via LAPSUS$
## Executive Summary
The application security firm Checkmarx confirmed a significant data breach involving the theft and subsequent leak of 96GB of data from its private GitHub repositories. The breach was initiated by the LAPSUS$ group (leveraging access from a prior supply chain attack) and resulted in the publication of source code and the injection of malicious code into Checkmarx artifacts. No customer data is currently believed to have been compromised as it was not stored in the affected environment.
## Incident Details
- **Discovery Date:** April 26, 2026 (Confirmation of LAPSUS$ leak)
- **Incident Date:** March 23, 2026 (Initial Access) - April 22, 2026 (Malicious updates)
- **Affected Organization:** Checkmarx
- **Sector:** Cybersecurity / Application Security
- **Geography:** Global (Headquartered in Israel/US)
## Timeline of Events
### Initial Access
- **Date/Time:** March 23, 2026
- **Vector:** Supply Chain Attack (Trivy scanner/TeamPCP)
- **Details:** Attackers utilized stolen credentials harvested from a prior breach of the Trivy vulnerability scanner ecosystem to gain unauthorized access to Checkmarx’s private GitHub environment.
### Lateral Movement
- After gaining entry via stolen credentials, the attackers moved within the GitHub environment to access various private repositories and build pipelines.
### Data Exfiltration/Impact
- **March 23:** Attackers interacted with the GitHub environment and began exfiltrating repository data.
- **April 22:** Attackers utilized persistent access to publish malicious Docker images, VSCode extensions, and Open VSX extensions for Checkmarx’s KICS security scanner.
- **Late April:** A 96GB data pack was leaked by LAPSUS$ on both dark web and clearnet portals.
### Detection & Response
- **Discovery:** The incident came to light following the public leak of data by the LAPSUS$ threat group and the detection of malicious code in official artifacts.
- **Response actions:** Engagement of a third-party forensic firm, blocking access to compromised GitHub repositories, and auditing all published artifacts.
## Attack Methodology
- **Initial Access:** Valid Accounts (Stolen credentials from Trivy supply chain incident).
- **Persistence:** High-privilege access to GitHub repositories maintained for approximately one month.
- **Privilege Escalation:** Not specified, but likely utilized administrative tokens within GitHub.
- **Defense Evasion:** Use of legitimate credentials; blending malicious code into official VSCode and Docker updates.
- **Credential Access:** Stole credentials, keys, tokens, and config files from KICS analysis tool users.
- **Discovery:** Reconnaissance of private GitHub repositories.
- **Lateral Movement:** Movement across different software repositories and CI/CD pipelines.
- **Collection:** Automated gathering of source code and configuration files.
- **Exfiltration:** Transfer of 96GB of data to attacker-controlled infrastructure.
- **Impact:** Financial/Identity theft (via credit/token harvesting) and Reputation damage (via data leak).
## Impact Assessment
- **Financial:** Costs associated with forensic investigation and remediation (unspecified total).
- **Data Breach:** 96GB of source code and internal repository data leaked.
- **Operational:** Disruption to KICS scanner tool updates; temporary suspension of GitHub environment access.
- **Reputational:** High; an application security firm’s own tools were used to distribute malicious code.
## Indicators of Compromise
- **Network indicators:** N/A (Cloud-to-cloud breach)
- **File indicators:**
- Malicious Docker images for KICS.
- Malicious VSCode/Open VSX extensions.
- **Behavioral indicators:** Unauthorized publication of code artifacts; access from IPs associated with TeamPCP/LAPSUS$.
## Response Actions
- **Containment:** Access to the affected GitHub repositories was immediately blocked.
- **Eradication:** Removal of malicious Docker images and VSCode/Open VSX extensions from public registries.
- **Recovery:** Ongoing forensic audit with a third-party firm to verify the integrity of all source code.
## Lessons Learned
- **Supply Chain Interdependency:** Credentials stolen from a third-party tool (Trivy) can grant access to the core intellectual property of another firm.
- **Tool Integrity:** Security tools themselves (KICS) are high-value targets for supply chain poisoning because they often require broad access to codebases.
- **Persistence Monitoring:** The attacker remained in the environment for nearly a month before deploying malicious artifacts.
## Recommendations
- Implement strictly enforced Multi-Factor Authentication (MFA) for all repository access, ideally using hardware keys.
- Rotate all credentials and secrets regularly, especially those used in third-party CI/CD integrations.
- Implement "Code Signing" for all published artifacts (Docker, VSCode extensions) to ensure integrity.
- Monitor GitHub Audit Logs for anomalous activity, such as bulk repository cloning or unauthorized credential creation.