Checkmarx recently confirmed that a supply chain attack on its KICS open source project resulted in unauthorized data access. The breach occurred last month and was linked to the Trivy supply chain attack, which allowed hackers to alter GitHub Action version tags covertly.
Impact of the Supply Chain Attack
This attack has been attributed to TeamPCP, a notorious hacking group involved in a broader campaign targeting multiple open source software ecosystems. The objective was to steal credentials and sensitive information. Around the time Checkmarx was compromised, messages from TeamPCP and the Lapsus$ extortion group indicated possible collaboration for financial gain.
Subsequently, Lapsus$ listed Checkmarx on its Tor-based leak site, claiming to have acquired source code, employee databases, API keys, and database credentials. Checkmarx confirmed that the breach stemmed from compromised GitHub repositories accessed via credentials obtained in the initial attack on March 23, 2026.
Response to the Breach
The hackers exploited Checkmarx’s GitHub environment by using credentials compromised through the Trivy hack. They targeted two OpenVSX plugins and GitHub Actions workflows. In response, Checkmarx removed the malicious packages, rotated compromised credentials, and blocked access to the hacker’s infrastructure.
Despite these efforts, the attackers managed to re-enter the environment and on April 22, they deployed additional malicious code, affecting a DockerHub KICS image, a GitHub action, a VS Code extension, and a Developer Assist extension. These actions also led to a compromise of the Bitwarden CLI NPM package, a widely-used open source password manager.
Ongoing Investigation and Mitigation Efforts
Checkmarx revealed that data exfiltration occurred on March 30, 2026. As part of its ongoing investigation, the company has engaged law enforcement, partnered with Mandiant for further analysis, reset a broad range of credentials, enhanced security measures, secured GitHub repositories, and initiated a code audit.
Checkmarx has stated that they are nearing the conclusion of their investigation, confirming that unauthorized access has been contained. The company plans to release more information as it becomes available.
Related incidents in the cybersecurity landscape include data breaches at Vimeo, luxury cosmetics giant Rituals, and healthcare organizations in Illinois and Texas.
