GoKawiilApplication security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository.
Although the investigation is ongoing, Checkmarx believes that the access vector was the Trivy supply-chain attack attributed to the hacker group known as TeamPCP. which provided access to credentials from downstream users.
Using stolen credentials obtained from the Trivy incident, the threat actor was able to access Checkmarx's GitHub repositories and publish malicious code on March 23.
"As a result of that access, the attackers were able to interact with Checkmarx’s GitHub environment and subsequently publish malicious code to certain artifacts," the company explains.
On April 22, as a result of their renewed access or month-long persistence, the attacker published malicious Docker images, VSCode and Open VSX extensions for Checkmarx’s KICS security scanner, which stole credentials, keys, tokens, and config files.
In an update yesterday, the company confirmed that the data that the LAPSUS$ group published on their extortion portal belonged to Checkmarx and originated from the March 23 compromise.
“Our investigation, conducted with support from a leading third-party forensic firm, indicates that a cybercriminal group has published data related to Checkmarx to the dark web,” reads the update.
“Based on current evidence, we believe this data originated from Checkmarx’s GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026.”
Although Checkmarx and other media outlets reported that this data was leaked on the dark web, BleepingComputer has found that LAPSUS$ has also made the 96GB data pack available through clearnet portals.
Checkmarx data leak on the LAPSUS$ site
... continue reading