Checkmarx confirms GitHub repository data was published on the dark web
6 min. read 
Published on
Checkmarx has confirmed that data linked to the company was published on the dark web after attackers gained unauthorized access to its GitHub repositories. The company says current evidence points back to the March 23, 2026 supply chain attack that affected its development environment.
The application security firm said data exfiltration took place on March 30, and that a cybercriminal group published Checkmarx-related data on April 25. Checkmarx also said its GitHub repositories stay separate from customer production environments and that it does not store customer data in GitHub as standard practice.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The disclosure adds another layer to an incident that already involved malicious artifacts, compromised development workflows, and emergency credential rotation. Checkmarx says the investigation continues with support from outside forensic specialists, including Mandiant.
What Checkmarx confirmed
Checkmarx first issued a short April 26 update saying a cybercriminal group had posted company-related data on the dark web. The company said the data appeared to originate from its GitHub repository and that the access likely came through the initial March 23 supply chain attack.
A fuller April 27 update added more detail. Checkmarx said attackers were able to interact with its GitHub environment and publish malicious code to certain artifacts after obtaining credentials through the earlier supply chain compromise.
The company also confirmed that it locked down access to the affected GitHub repositories while the investigation continues. A code audit is underway to check that no additional malicious code remains beyond the already identified findings.
At a glance
| Item | Details |
|---|---|
| Company | Checkmarx |
| Incident type | Supply chain compromise and GitHub repository data exposure |
| Initial incident date | March 23, 2026 |
| Data exfiltration date | March 30, 2026 |
| Dark web publication date | April 25, 2026 |
| Suspected source of leaked data | Checkmarx GitHub repositories |
| Customer production environment | Maintained separately from GitHub repositories |
| Customer data in GitHub | Checkmarx says it does not store customer data there |
| External response support | Mandiant and other forensic specialists |
| Current status | Investigation, containment, credential rotation, and code audit ongoing |
How the incident developed
Checkmarx says it identified the incident on March 23. The company linked the likely access path to the Trivy supply chain attack, which the security community had reported earlier in March.
According to Checkmarx, attackers used that access to publish compromised artifacts. Its timeline also says a second wave of malicious artifacts appeared on April 22, suggesting continued or renewed attacker access before the later dark web leak.
The Register reported that the Lapsus$ extortion group claimed it had dumped Checkmarx source code, secrets, and other sensitive data. Checkmarx has not publicly confirmed every claim from the leak site, but it has confirmed that data related to the company was published and that current evidence points to GitHub repositories.
Why GitHub repository exposure matters
GitHub repositories can contain more than source code. They may include build scripts, internal documentation, CI/CD configuration, test data, infrastructure references, tokens, or secrets if a company’s controls fail.
That makes repository access valuable to attackers. With the right files, threat actors may look for vulnerabilities, identify internal systems, understand build pipelines, or prepare more targeted supply chain attacks.
In this case, Checkmarx says it rotated credentials identified as potentially exposed, reviewed its environments for further compromise, and added security controls and access restrictions across its development environment.
Timeline of the Checkmarx incident
| Date | Event |
|---|---|
| March 19, 2026 | Security community reports the Trivy-related TeamPCP attack could harvest downstream credentials |
| March 23, 2026 | Checkmarx identifies the incident and begins containment |
| March 23, 2026 | Malicious Checkmarx artifacts are published |
| March 30, 2026 | Checkmarx later identifies data exfiltration from GitHub repositories |
| April 22, 2026 | A second wave of compromised artifacts is published |
| April 25, 2026 | LAPSUS$ publishes Checkmarx-related data on the dark web |
| April 26, 2026 | Checkmarx confirms the new GitHub repository development |
| April 27, 2026 | Checkmarx publishes a more detailed incident update |
What Checkmarx has done so far
Checkmarx says it removed unauthorized code and published clean artifacts after detecting the incident. The company also added safeguards to its development and distribution workflows.
It also rotated potentially exposed credentials, reviewed access pathways and integrations, engaged law enforcement, and brought in Mandiant to support the investigation. These steps point to a broader containment effort rather than a simple repository cleanup.
The company says it remains in the final stages of the investigation and is working to confirm that unauthorized access has been fully contained. It also said it will notify customers and relevant parties if it determines customer information was involved.
What customers should know
Checkmarx has emphasized that its GitHub repositories are separate from its customer production environment. It also says customer data is not stored in GitHub repositories as standard practice.
That statement reduces the immediate concern around direct customer data exposure. However, customers should still monitor official Checkmarx updates because the investigation covers the nature and scope of the data posted online.
Organizations that use Checkmarx tools should also review their own environments for unusual activity, especially if they interacted with affected artifacts during the relevant time windows. Supply chain incidents can create downstream risk even when customer production systems are not directly accessed.
Why this matters for software supply chain security
The incident shows how one compromise can move across the developer ecosystem. A stolen credential or compromised build workflow can affect repositories, extensions, containers, artifacts, and downstream users.
The Hacker News reported that the earlier Checkmarx breach involved tampered GitHub Actions workflows and Open VSX marketplace plugins that pushed credential-stealing malware. It also reported a later compromise involving a KICS Docker image, VS Code extensions, and a GitHub Actions workflow.
This matters because security and developer tools often sit inside trusted CI/CD workflows. If attackers compromise those tools, they can reach developers, cloud credentials, repositories, and build systems with less friction.
Recommended steps for Checkmarx users
- Follow Checkmarx’s official security updates and support portal guidance.
- Review whether your team used affected Checkmarx artifacts during the incident window.
- Rotate credentials that may have touched affected workflows or plugins.
- Check CI/CD logs for unexpected outbound connections or credential access.
- Review GitHub Actions secrets, repository tokens, and service account permissions.
- Audit Open VSX, VS Code extension, Docker, and GitHub Actions usage tied to affected tools.
- Monitor for suspicious authentication from developer machines.
- Keep evidence if you find unusual activity, then escalate to security or incident response teams.
FAQ
Checkmarx confirmed that a cybercriminal group published data related to the company on the dark web. Current evidence indicates that the data came from Checkmarx GitHub repositories.
Checkmarx says its investigation identified data exfiltration on March 30, 2026. The data was later published on the dark web on April 25.
Checkmarx says its GitHub repositories are separate from customer production environments and that it does not store customer data in GitHub as standard practice. The investigation remains focused on verifying the nature and scope of the posted data.
Checkmarx says it engaged external forensic specialists and retained Mandiant to support the investigation. It also says it engaged law enforcement.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages