Checkmarx, a software security testing company, has confirmed that it is a victim of an ongoing supply chain attack that has specifically targeted security tool providers. The attack has resulted in the exposure of sensitive data from one of its GitHub repositories, as claimed by the Lapsus$ extortion group.
In a recent update, Checkmarx stated that they are investigating the incident to verify the nature and scope of the exposed data. Preliminary evidence indicates that the data was accessed through a supply chain attack that occurred on March 23, 2026. Following the discovery, Checkmarx has restricted access to the affected repository and has committed to notifying any impacted customers if their information is found to have been compromised.
Details of the Attack
On April 26, Lapsus$ added Checkmarx to its list of victims on its leak site, claiming to have released a significant amount of sensitive information, including source code, API keys, and login credentials for MongoDB and MySQL. Checkmarx has not yet responded to inquiries regarding the specifics of the stolen data or the claims made by Lapsus$.
Initial Compromise and Malware Insertion
The initial attack referenced by Checkmarx took place on March 23, when a group known as TeamPCP utilized CI/CD secrets stolen from Trivy, an open-source vulnerability scanner maintained by Aqua Security. TeamPCP had previously compromised Trivy in late February, injecting credential-stealing malware that captured developers’ secrets, including cloud credentials and SSH keys.
On March 23, the same malware was injected into KICS, another open-source tool maintained by Checkmarx, which resulted in the deployment of compromised images to the official checkmarx/kics Docker Hub repository. Analysis revealed that the modified KICS binary included capabilities for data collection and exfiltration, posing a serious risk to users scanning sensitive infrastructure-as-code files.
Broader Implications of the Attack
The attack has extended beyond Checkmarx, impacting other developer tools, including Checkmarx GitHub Actions and two plugins distributed via the Open VSX marketplace. Notably, the open-source password manager Bitwarden was also compromised, which could affect over 10 million users and more than 50,000 businesses.
Experts emphasize that attackers are increasingly targeting trusted tools within the developer ecosystem, such as security scanners and password managers, which can lead to widespread data breaches. The nature of this attack highlights the vulnerabilities present in the security tooling landscape.
Future Risks and Ongoing Threats
TeamPCP has reportedly collaborated with ransomware groups like Vect and Lapsus$, indicating a potential for further supply chain attacks. The ongoing campaign reflects a strategic shift where attackers are not only bypassing security measures but are actively targeting the tools designed to protect them.
As the investigation continues, Checkmarx has pledged to provide further updates on the situation, emphasizing the importance of vigilance in the face of evolving cyber threats.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
