CheckMarx admits it was hit by major cyberattack that saw data leaked onto Dark Web

News
By published

March 2026 attack did result in CheckMarx data theft

Abstract image of cyber security in action.
OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)
  • CheckMarx confirms breach tied to a recent supply chain attack
  • Stolen data originated from its GitHub repository, with investigations still ongoing
  • Threat actors later claimed to have exfiltrated source code and sensitive credentials

A day after Checkmarx’s data appeared on the dark web, the company has officially confirmed suffering a data breach.

In a breach notification published on the company blog, Checkmarx said it was still investigating the incident, but confirmed the leaked data was stolen from its GitHub repository, and that access to that repository was facilitated, "through the initial supply chain attack of March 23, 2026."

What Checkmarx is referring to is a supply chain incident that affected Trivy, an open source vulnerability scanner. A week before the attack, a group known as TeamPCP smuggled an infostealer into the scanner, nabbing user secrets, cloud credentials, SSH keys, and Kubernetes configuration files. After that they added persistent backdoors on the devices of the victimized developers, for further access.

Article continues below

Lapsus$ leaks the files

From there, they were also able to pivot into other environments, including LiteLLM, Telnyx, and KICS. They also compromised other Checkmarx tools, GitHub Actions, and two Open VSX plugins. At the time, the researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials, from the biggest browsers such as Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data.

It was suggested that more than 170,000 people may have been at risk.

The company has since barred access to the affected repository and said if it determines user data was stolen, it will notify affected parties immediately.

A day before posting that notification, threat actors calling themselves Lapsus$ added Checkmarx to their data leak website, claiming to have exfiltrated source code, API keys, MongDB and MySQL login credentials, and employee details. Checkmarx has not commented on these claims.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.