CheckMarx admits it was hit by major cyberattack that saw data leaked onto Dark Web

In a breach notification published on the company blog, Checkmarx said it was still investigating the incident, but confirmed the leaked data was stolen from its GitHub repository, and that access to that repository was facilitated, "through the initial supply chain attack of March 23, 2026."

What Checkmarx is referring to is a supply chain incident that affected Trivy, an open source vulnerability scanner. A week before the attack, a group known as TeamPCP smuggled an infostealer into the scanner, nabbing user secrets, cloud credentials, SSH keys, and Kubernetes configuration files. After that they added persistent backdoors on the devices of the victimized developers, for further access.

Lapsus$ leaks the files

From there, they were also able to pivot into other environments, including LiteLLM, Telnyx, and KICS. They also compromised other Checkmarx tools, GitHub Actions, and two Open VSX plugins. At the time, the researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials, from the biggest browsers such as Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data.

It was suggested that more than 170,000 people may have been at risk.

The company has since barred access to the affected repository and said if it determines user data was stolen, it will notify affected parties immediately.

A day before posting that notification, threat actors calling themselves Lapsus$ added Checkmarx to their data leak website, claiming to have exfiltrated source code, API keys, MongDB and MySQL login credentials, and employee details. Checkmarx has not commented on these claims.

Via The Register