April 27, 2026
What happened?
On March 23, 2026, Checkmarx identified a cybersecurity incident originating from the Trivy Supply Chain Attack. The cybersecurity community previously reported on March 19 that the TeamPCP attack affecting the Trivy scanner could potentially be used to harvest credentials from downstream users.
While we are still investigating the incident, we believe this is the likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories. As a result of that access, the attackers were able to interact with Checkmarx’s GitHub environment and subsequently publish malicious code to certain artifacts.
As part of our investigation into the incident, we identified that exfiltration of data took place on March 30, 2026. A cybercriminal group subsequently published data related to Checkmarx to the dark web on April 25. Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2026.
Importantly, Checkmarx’s GitHub repositories are maintained separately from our customer production environment. As standard practice, we do not store customer data in our GitHub repository.
Incident Timeline
| — MARCH — | |||
| Mar 23 | EVENT |
Compromised artifacts published
Malicious Checkmarx artifacts are published. Attacker pushes malicious code directly into the Checkmarx GitHub repository. Containment, investigation, remediation and communication efforts commenced immediately, and remain ongoing. |
|
| — APRIL — | |||
| Apr 22 | PERSISTENCE |
Compromised artifacts published
A second wave of malicious Checkmarx artifacts are published, indicating continued or renewed attacker access. |
|
| Apr 25 | DISCLOSURE |
LAPSUS$ publishes stolen data
LAPSUS$ publicly releases data stamped March 30, nearly one month after the suspected exfiltration of data from the Checkmarx GitHub repository by the attacker. |
|
■Breach / Exfiltration
■Persistence
■Disclosure
Actions we have taken
Upon identification of the incident, Checkmarx commenced a formal investigation and engaged external forensic specialists to support that work.
Initial steps Checkmarx took to contain and remediate the incident included:
- Removed unauthorized code and published clean artifacts
- Implemented additional safeguards within our development and distribution workflows
- Rotated credentials identified as potentially exposed, with validation and follow-up rotation continuing as the investigation progressed
- Reviewed our environments for indications of further compromise
Following evidence of further malicious artifacts we took additional steps to strengthen our security posture:
- Retained an additional third-party cybersecurity expert provider to bolster our investigation efforts
- Conducted a wider rotation of credentials across the environment
- Implemented additional security controls, tools, and access restrictions within our development environment
- Performed additional reviews of access pathways and integrations
- We have locked down access to the affected GitHub repositories while the investigation continues
- A code audit is also currently underway to verify that no further malicious code is present beyond the findings already identified
We are now in the final stages of our investigation and confirming that the unauthorised access has been fully contained. We will share further on this as soon as we are able.
Additional Information
We have communicated with our customers throughout this process and will continue to provide relevant updates as more information becomes available. Further information, including recommended steps customers can take, is available on our Support Portal or in our Security Updates.