Ongoing supply-chain attack 'explicitly targeting' security, dev tools
Checkmarx is investigating a supply-chain attack that exposed data from one of its GitHub repositories, following claims by the Lapsus$ hacking group that they dumped source code, API keys, and employee information. The breach originated from an earlier compromise of the open-source tool Trivy, which allowed attackers to inject malware into multiple developer tools, including Checkmarx's KICS scanner and Bitwarden's CLI. The attackers exploited trusted development tools to harvest credentials and gain access to sensitive environments, amplifying the attack's reach across the software ecosystem. Checkmarx has locked down the affected repository and is assessing the full scope of the incident.
- ▪Checkmarx confirmed that data posted online likely came from its GitHub repository, accessed via a supply-chain attack dating back to March 23, 2026.
- ▪The attack began with the compromise of Trivy, an open-source vulnerability scanner, which allowed threat actors to inject credential-stealing malware into multiple downstream tools.
- ▪Malicious code was pushed into Checkmarx's KICS Docker images, enabling attackers to collect and exfiltrate sensitive infrastructure-as-code scan data.
- ▪The breach also affected Bitwarden's CLI tool, significantly expanding the potential impact due to its widespread use among developers and enterprises.
- ▪Lapsus$ and affiliated groups are leveraging these compromises for extortion, claiming to possess large volumes of stolen source code and sensitive credentials.
Full article excerpt tap to expand
Cyber-crime Ongoing supply-chain attack 'explicitly targeting' security, dev tools Vendor confirms repo data exposure after Lapsus$ claims source code, secrets dump Jessica Lyons Mon 27 Apr 2026 // 23:33 UTC Software security testing outfit Checkmarx has become the latest organization caught up in an ongoing attack on security-tool providers. The biz said data posted online appears to have come from one of its GitHub repositories after the Lapsus$ extortion crew claimed to have dumped the company’s source code, secrets, and other sensitive data. In a Sunday update, Checkmarx said the investigation remains ongoing, and it's working to "verify the nature and scope" of the data. Current evidence, however, suggests that "this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026." The security shop has since locked down access to the affected repo, and said if the investigation determines any customer information was posted online, it will notify "all relevant parties immediately." <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ae_0_RV-F_wJ6vO-qMSoXgAAAJU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ae_0_RV-F_wJ6vO-qMSoXgAAAJU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0" alt=""> </a> A day earlier, Lapsus$ data thieves added Checkmarx to the list of victims on its leak site. In a post shared on X by Dark Web Informer, the extortionists claimed to have dumped a raft of sensitive information including source code, API keys, MongoDB and MySQL login credentials, and employee details. <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ae_0_RV-F_wJ6vO-qMSoXgAAAJU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ae_0_RV-F_wJ6vO-qMSoXgAAAJU&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0" alt=""> </a> <a href="https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ae_0_RV-F_wJ6vO-qMSoXgAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" target="_blank"> <img src="https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ae_0_RV-F_wJ6vO-qMSoXgAAAJU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0" alt=""> </a> Checkmarx did not respond to The Register's inquiries about the stolen data and Lapsus$ claims. The vendor, on Sunday, promised a "more detailed update within 24 hours," as this supply chain SNAFU ripples across the security and developer tools landscapes. From Trivy to Checkmarx The initial…
This excerpt is published under fair use for community discussion. Read the full article at The Register.
Discussion
0 commentsMore from The Register
