Full Report
Vendor confirms repo data exposure after Lapsus$ claims source code, secrets dump
Analysis Summary
# Incident Report: Multi-Stage Supply Chain Compromise of Checkmarx
## Executive Summary
Checkmarx, a prominent software security testing vendor, fell victim to a cascading supply chain attack originating from compromised open-source security tools. The incident involves the injection of malicious code into Checkmarx's KICS tool and GitHub Actions, which ultimately led to the exfiltration of sensitive source code, API keys, and credentials by the Lapsus$ extortion group. The attack highlights a broader campaign by threat actors targeting high-privilege developer and security tools to gain downstream access to enterprise environments.
## Incident Details
- **Discovery Date:** April 26, 2026 (Public confirmation/Lapsus$ claim)
- **Incident Date:** March 23, 2026 (Initial Checkmarx injection)
- **Affected Organization:** Checkmarx
- **Sector:** Cybersecurity / Software Development Tools
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Late February – March 16, 2026
- **Vector:** Supply Chain Compromise of upstream open-source tools.
- **Details:** Attackers (TeamPCP) initially compromised **Trivy** (an Aqua Security tool), stealing CI/CD secrets and cloud credentials. This provided the "keys to the kingdom" to access other repositories.
### Lateral Movement
- **March 16 - 23, 2026:** Using stolen credentials from Trivy, attackers moved laterally into other open-source projects, including **LiteLLM** and Checkmarx’s **KICS** (Keeping Infrastructure as Code Secure).
### Data Exfiltration/Impact
- **March 23, 2026:** TeamPCP injected credential-stealing malware into KICS binary and pushed poisoned images to the official `checkmarx/kics` Docker Hub repo.
- **April 2026:** Lapsus$ claimed credit for the final breach of Checkmarx’s internal repositories.
- **Data Stolen:** Source code, API keys, MongoDB/MySQL credentials, and employee details.
### Detection & Response
- **Discovery:** Triggered by Lapsus$ posting stolen data on their leak site and subsequent analysis by Socket researchers.
- **Response actions:** Checkmarx locked down the affected GitHub repositories, revoked compromised plugins, and initiated a forensic investigation to notify affected customers.
## Attack Methodology
- **Initial Access:** Exploitation of secrets stolen from upstream open-source security tools (Trivy).
- **Persistence:** Implementation of persistent backdoors on developers' machines and poisoned Docker images.
- **Privilege Escalation:** Use of high-privilege CI/CD tokens and cloud credentials.
- **Defense Evasion:** Code injection into trusted/official security tools that are often exempt from deep scrutiny.
- **Credential Access:** Extraction of API keys, SSH keys, and database credentials (MySQL/MongoDB).
- **Discovery:** Scanning for Infrastructure-as-Code (IaC) files containing sensitive configurations.
- **Lateral Movement:** Chaining compromises from one Tool (Trivy) to others (KICS, Bitwarden CLI).
- **Collection:** Malware generated "uncensored" scan reports containing sensitive environment data.
- **Exfiltration:** Encrypted data sent to external attacker-controlled endpoints.
- **Impact:** Theft of proprietary source code and potential downstream compromise of Checkmarx customers.
## Impact Assessment
- **Financial:** Potential loss of intellectual property; costs associated with incident response and litigation.
- **Data Breach:** Exposure of source code, secrets, and employee information. 4 TB of data was reportedly offered for sale in related attacks (Mercor).
- **Operational:** Disruption of CI/CD pipelines and the need to rotatate all internal and customer-facing secrets.
- **Reputational:** Significant damage to a "trusted" security vendor whose primary product is intended to prevent such vulnerabilities.
## Indicators of Compromise
- **Network indicators:** Data exfiltration to external endpoints (specific IPs/URLs not provided in text; would be listed as `hxxp[:]//attacker-site[.]com`).
- **File indicators:** Poisoned KICS binary in `checkmarx/kics` Docker images; malicious Open VSX plugins.
- **Behavioral indicators:** Unexpected outbound encrypted traffic from CI/CD runners or security scanning tools.
## Response Actions
- **Containment:** Locked down access to compromised GitHub repositories and pulled poisoned Docker images.
- **Eradication:** Revoked compromised GitHub Actions and Open VSX plugins.
- **Recovery:** Initiating customer notification protocols for those whose scan data may have been exfiltrated.
## Lessons Learned
- **Security Tool Trust Paradox:** Security tools are high-value targets because they are often "overprivileged" and deeply embedded in sensitive environments.
- **Secret Management:** The initial compromise was exacerbated by the storage of long-lived secrets within CI/CD environments.
- **Supply Chain Visibility:** Vendors must monitor not only their own code but the integrity of the official images they push to public registries like Docker Hub.
## Recommendations
- **Zero Trust for Tools:** Implement the principle of least privilege for security scanners and CI/CD service accounts.
- **Binary Integrity:** Implement automated checksum verification and code signing for all distributed binaries and Docker images.
- **Secret Rotation:** Move toward short-lived, identity-based credentials for CI/CD pipelines to mitigate the impact of stolen tokens.
- **Egress Monitoring:** Monitor and restrict outbound connections from build servers and dev environments to known, authorized endpoints only.