- CheckMarx confirms breach tied to a recent supply chain attack
- Stolen data originated from its GitHub repository, with investigations still ongoing
- Threat actors later claimed to have exfiltrated source code and sensitive credentials
A day after Checkmarx’s data appeared on the dark web, the company has officially confirmed suffering a data breach.
In a breach notification published on the company blog, Checkmarx said it was still investigating the incident, but confirmed the leaked data was stolen from its GitHub repository, and that access to that repository was facilitated, “through the initial supply chain attack of March 23, 2026.”
What Checkmarx is referring to is a supply chain incident that affected Trivy, an open source vulnerability scanner. A week before the attack, a group known as TeamPCP smuggled an infostealer into the scanner, nabbing user secrets, cloud credentials, SSH keys, and Kubernetes configuration files. After that they added persistent backdoors on the devices of the victimized developers, for further access.
Article continues below
Lapsus$ leaks the files
From there, they were also able to pivot into other environments, including LiteLLM, Telnyx, and KICS. They also compromised other Checkmarx tools, GitHub Actions, and two Open VSX plugins. At the time, the researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials, from the biggest browsers such as Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data.
It was suggested that more than 170,000 people may have been at risk.
The company has since barred access to the affected repository and said if it determines user data was stolen, it will notify affected parties immediately.
A day before posting that notification, threat actors calling themselves Lapsus$ added Checkmarx to their data leak website, claiming to have exfiltrated source code, API keys, MongDB and MySQL login credentials, and employee details. Checkmarx has not commented on these claims.
Via The Register
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/pNvZnS4EQCoYBG2inqCq5L-970-80.jpg
Source link
