Full Report
Vendor confirms repo data exposure after Lapsus$ claims source code, secrets dump Software security testing outfit Checkmarx has become the latest organization caught up in an ongoing attack on security-tool providers. The biz said data posted online appears to have come from one of its GitHub repositories after the Lapsus$ extortion crew claimed to have dumped the company’s source code, secrets, and other sensitive data.…
Analysis Summary
# Incident Report: Deep-Chained Supply Chain Compromise of Checkmarx
## Executive Summary
Checkmarx, a prominent application security testing provider, suffered a significant supply chain compromise initiated by the threat group TeamPCP and subsequently exploited by Lapsus$. By trojanizing developer tools and GitHub Actions, attackers exfiltrated internal source code, secrets, and credentials. The incident is part of a broader campaign targeting high-trust security tools to facilitate downstream attacks on over 50,000 businesses.
## Incident Details
- **Discovery Date:** April 26, 2026 (Public confirmation/Lapsus$ claim)
- **Incident Date:** March 23, 2026 (Initial supply chain injection)
- **Affected Organization:** Checkmarx (and downstream users of KICS/Bitwarden CLI)
- **Sector:** Cybersecurity / Software Development Tools
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Late February – March 16, 2026
- **Vector:** Supply Chain Pivot
- **Details:** Attackers (TeamPCP) initially compromised Trivy (Aqua Security). By March 16, they exfiltrated developer secrets and SSH keys, which were used to pivot into Checkmarx’s infrastructure.
### Lateral Movement
- **March 23, 2026:** Attackers used stolen credentials to access Checkmarx’s GitHub repositories and Docker Hub accounts. They moved laterally into the CI/CD pipelines for KICS (Keeping Infrastructure as Code Secure).
### Data Exfiltration/Impact
- **March 23 – Late April 2026:** Trojanized KICS binaries and GitHub Actions collected and exfiltrated "uncensored" scan reports, infrastructure-as-code secrets, and API keys.
- **April 26, 2026:** Lapsus$ claimed to have dumped Checkmarx source code, MongoDB/MySQL credentials, and employee details.
### Detection & Response
- **Detection:** Identified following Lapsus$ data dump claims and third-party research by Socket.
- **Response:** Checkmarx locked down affected GitHub repositories, revoked compromised credentials, and issued security advisories for KICS and Open VSX plugins.
## Attack Methodology
- **Initial Access:** Valid accounts/Secrets stolen from upstream vendor (Trivy).
- **Persistence:** Trojanized Docker images and GitHub Action workflows.
- **Privilege Escalation:** Exploitation of high-privilege CI/CD service accounts.
- **Defense Evasion:** Modification of legitimate binaries (KICS) to include encrypted exfiltration modules.
- **Credential Access:** Extraction of API keys, SSH keys, and database logins from developer environments.
- **Discovery:** Scanning infrastructure-as-code (IaC) files for sensitive configurations.
- **Lateral Movement:** "Chained" supply chain attacks moving from one security tool provider to another.
- **Collection:** Gathering uncensored scan reports and internal repository data.
- **Exfiltration:** Encrypted data sent to external attacker-controlled endpoints.
- **Impact:** Massive data leak and downstream compromise of users (e.g., Bitwarden CLI).
## Impact Assessment
- **Financial:** Not yet disclosed; potential for significant internal remediation costs.
- **Data Breach:** Source code, API keys, database credentials, and employee PII.
- **Operational:** Disruption of CI/CD pipelines and required forced updates for all KICS/GitHub Action users.
- **Reputational:** High; a security-focused vendor was used as a vector to attack its own customers.
## Indicators of Compromise
- **Network:** Exfiltration to unverified external endpoints (specific IPs not listed in text).
- **File:** Poisoned Docker images in `checkmarx/kics` (March 23 version).
- **Behavioral:** Unauthorized modifications to GitHub Action YAML files and Open VSX marketplace plugins.
## Response Actions
- **Containment:** Disabled GitHub repositories and revoked access tokens.
- **Eradication:** Removed poisoned images from Docker Hub and Open VSX.
- **Recovery:** Notifying affected customers and conducting a forensic audit of all source code.
## Lessons Learned
- **Key Takeaways:** Security tools are "high-value choke points" because they are over-privileged and deeply embedded in environments.
- **Gaps:** Compromised CI/CD secrets remained active and usable for weeks before the full scope of the Trivy-to-Checkmarx pivot was realized.
## Recommendations
- **Rotate Secrets Regularly:** Implement aggressive rotation policies for CI/CD and GitHub tokens.
- **Binary Integrity:** Implement code signing and checksum verification for all distributed developer tools.
- **Least Privilege:** Restrict CI/CD runners from accessing external networks unless explicitly required for known endpoints.
- **Sub-Resource Integrity:** Monitor for unexpected changes in third-party GitHub Actions and plugins.