Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository.
Although the investigation is ongoing, Checkmarx believes that the access vector was the Trivy supply-chain attack attributed to the hacker group known as TeamPCP. which provided access to credentials from downstream users.
Using stolen credentials obtained from the Trivy incident, the threat actor was able to access Checkmarx’s GitHub repositories and publish malicious code on March 23.
“As a result of that access, the attackers were able to interact with Checkmarx’s GitHub environment and subsequently publish malicious code to certain artifacts,” the company explains.
On April 22, as a result of their renewed access or month-long persistence, the attacker published malicious Docker images, VSCode and Open VSX extensions for Checkmarx’s KICS security scanner, which stole credentials, keys, tokens, and config files.
In an update yesterday, the company confirmed that the data that the LAPSUS$ group published on their extortion portal belonged to Checkmarx and originated from the March 23 compromise.
“Our investigation, conducted with support from a leading third-party forensic firm, indicates that a cybercriminal group has published data related to Checkmarx to the dark web,” reads the update.
“Based on current evidence, we believe this data originated from Checkmarx’s GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026.”
Although Checkmarx and other media outlets reported that this data was leaked on the dark web, BleepingComputer has found that LAPSUS$ has also made the 96GB data pack available through clearnet portals.
Source: BleepingComputer
BleepingComputer has not examined the content of the leaked data, but Checkmarx assured that it does not contain customer information, as this is not stored in the company’s GitHub repository.
A forensic investigation is underway to determine the exact type of data that has been exposed.
The company states that, if customer information is found in the leaked data, affected individuals will be notified immediately.
Access to the affected GitHub repository has been blocked until the investigation is complete. Checkmarx estimates that it will be able to share more details within the next 24 hours.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
