Security & Infrastructure Tools

Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data

Checkmarx confirms LAPSUS$ leaked data from its private GitHub repository after a March 23 supply-chain attack tied to the Trivy incident; attackers used stolen credentials to publish malicious artifacts, including Docker images and VSCode/Open VSX extensions for Checkmarx’s KICS scanner. A 96 GB data pack was posted on the LAPSUS$ portal and accessible on clearnet, with Checkmarx saying the exposed data originated from its GitHub and does not appear to contain customer information. Access to the affected repository has been blocked and a forensic investigation is ongoing, with more details expected within 24 hours.

TechLogHub

April 28, 2026

Keep Reading

Security & Infrastructure ToolsJun 12, 2026

Ukrainian national pleads guilty to role in Conti ransomware operation

A Ukrainian national extradited from Ireland to the United States pleaded guilty to conspiracy to commit wire fraud in connection with the Conti ransomware operation, admitting to joining the group in September 2021 and possessing data stolen from eight U.S. victims and four overseas victims. He helped code a loader used in attacks and faces up to 20 years in prison. Conti, linked to TrickBot, targeted more than 1,000 victims and collected over $150 million in ransom before disbanding in 2022.

Security & Infrastructure ToolsJun 12, 2026

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More from the Blog

View all

Security & Infrastructure Tools

Microsoft Adds Copilot Data Controls to All Storage Locations

Microsoft is expanding its data‑loss prevention controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel and PowerPoint documents regardless of where they are stored—whether on local devices or in SharePoint/OneDrive. The update will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026, automatically enabling the restriction for organizations that already have DLP policies set to block Copilot from handling sensitivity‑labeled content. This change follows a bug that had allowed Copilot to summarize confidential emails in users’ Sent Items and Drafts folders despite active DLP protections.

Feb 25, 2026

Security & Infrastructure Tools

Previously harmless Google API keys now expose Gemini AI data

Stay Updated

Get the next deep dive in your inbox

Subscribe for product analysis, engineering explainers, and practical guides published on TechLogHub.

Stay Updated

Get weekly insights, product updates, and launches straight to your inbox.

Overview

Security researcher and application security company Checkmarx reported that the LAPSUS$ hacking group leaked data stolen from its private GitHub repository.
The initial access is believed to have come from a supply-chain compromise tied to the Trivy vulnerability scanner incident, attributed to TeamPCP, which provided credentials from downstream users.
Malicious code and artifacts were published in March, with further malicious content appearing in April as attackers maintained access.

Background and Context

Checkmarx is an application security firm; the incident centers on their GitHub environment rather than customer-facing databases.
The threat actor used stolen credentials obtained through the Trivy-related incident to gain entry and interact with Checkmarx’s GitHub setup.
The March 23, 2026 compromise is identified as the starting point for the subsequent data exposure and publication on an extortion portal.

Timeline of Key Events

March 23, 2026: Initial breach via compromised credentials accessed Checkmarx’s GitHub repositories, enabling publication of malicious artifacts.
April 22, 2026: Renewed access allowed the attacker to publish additional malicious content, including Docker images, and VSCode/Open VSX extensions for Checkmarx’s KICS security scanner.
April 26–27, 2026: Checkmarx confirms continued activity and data exposure related to the March breach; forensic activity intensifies.
Late April 2026: The LAPSUS$ group posts data on their extortion portal and also makes the 96 GB data pack accessible through clearnet portals, challenging the notion that data was only on the dark web.
Ongoing: Checkmarx, with third-party forensics support, continues to assess what data was exposed and whether any customer information was included.

Data Exposed and Content Scope

Official statements indicate the data released by the attackers originates from Checkmarx’s GitHub repositories and is tied to the March 23 compromise.
The attackers published various artifacts and configuration items, including credentials, keys, tokens, and configuration files.
Checkmarx asserts that no customer information was stored in the GitHub repository implicated in the breach; however, the exact content of the leaked data remains under forensic review.
A 96 GB data pack has been deployed by LAPSUS$, and forensic teams are evaluating the exact nature and reach of the exposure.

Checkmarx’s Response and Forensic Process

Access to the affected GitHub repository has been blocked to contain the incident while the investigation proceeds.
Forensic work is being conducted with the help of a leading third-party firm to determine data types and the extent of exposure.
If customer information is found within the leaked material, affected individuals will be notified promptly.
Checkmarx has pledged to share additional details within a short window as the investigation advances.

Current Status and Implications

The incident underscores the risk of supply-chain-style intrusions where downstream credentials enable unauthorized access to internal repositories.
While the published data is linked to the company’s GitHub and not directly described as containing customer data, the full scope remains under review.
The breach illustrates how persistent access can lead to multiple publication events, including both dark-web and clearnet data dissemination.

Context and Related Considerations

The case aligns with broader patterns of extortion-focused hacks that leverage compromised supplier credentials to reach code repositories and development assets.
It highlights the importance of ongoing credential hygiene, repository access controls, and rapid containment after detection of unusual activity.
Ongoing forensic updates will drive the final assessment of data exposure and any downstream risk to customers or partners.

Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data

Related Posts

Ukrainian national pleads guilty to role in Conti ransomware operation

Over 400 Arch Linux packages compromised to push rootkit, infostealer

More from the Blog

Microsoft Adds Copilot Data Controls to All Storage Locations

Previously harmless Google API keys now expose Gemini AI data

Get the next deep dive in your inbox

Stay Updated

Early Warning Signs of Supply-Chain Attacks Live in the Dark Web

Microsoft says bug in classic Outlook hides the mouse pointer

Product

Learn

Company

Legal

Stay Updated

Browse by Category

What's New