Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data

Checkmarx confirms LAPSUS$ leaked data from its private GitHub repository after a March 23 supply-chain attack tied to the Trivy incident; attackers used stolen credentials to publish malicious artifacts, including Docker images and VSCode/Open VSX extensions for Checkmarx’s KICS scanner. A 96 GB data pack was posted on the LAPSUS$ portal and accessible on clearnet, with Checkmarx saying the exposed data originated from its GitHub and does not appear to contain customer information. Access to the affected repository has been blocked and a forensic investigation is ongoing, with more details expected within 24 hours.

TechLogHub

April 28, 2026

0 views

Overview

Security researcher and application security company Checkmarx reported that the LAPSUS$ hacking group leaked data stolen from its private GitHub repository.
The initial access is believed to have come from a supply-chain compromise tied to the Trivy vulnerability scanner incident, attributed to TeamPCP, which provided credentials from downstream users.
Malicious code and artifacts were published in March, with further malicious content appearing in April as attackers maintained access.

Background and Context

Checkmarx is an application security firm; the incident centers on their GitHub environment rather than customer-facing databases.
The threat actor used stolen credentials obtained through the Trivy-related incident to gain entry and interact with Checkmarx’s GitHub setup.
The March 23, 2026 compromise is identified as the starting point for the subsequent data exposure and publication on an extortion portal.

Timeline of Key Events

March 23, 2026: Initial breach via compromised credentials accessed Checkmarx’s GitHub repositories, enabling publication of malicious artifacts.
April 22, 2026: Renewed access allowed the attacker to publish additional malicious content, including Docker images, and VSCode/Open VSX extensions for Checkmarx’s KICS security scanner.
April 26–27, 2026: Checkmarx confirms continued activity and data exposure related to the March breach; forensic activity intensifies.
Late April 2026: The LAPSUS$ group posts data on their extortion portal and also makes the 96 GB data pack accessible through clearnet portals, challenging the notion that data was only on the dark web.
Ongoing: Checkmarx, with third-party forensics support, continues to assess what data was exposed and whether any customer information was included.

Data Exposed and Content Scope

Official statements indicate the data released by the attackers originates from Checkmarx’s GitHub repositories and is tied to the March 23 compromise.
The attackers published various artifacts and configuration items, including credentials, keys, tokens, and configuration files.
Checkmarx asserts that no customer information was stored in the GitHub repository implicated in the breach; however, the exact content of the leaked data remains under forensic review.
A 96 GB data pack has been deployed by LAPSUS$, and forensic teams are evaluating the exact nature and reach of the exposure.

Checkmarx’s Response and Forensic Process

Access to the affected GitHub repository has been blocked to contain the incident while the investigation proceeds.
Forensic work is being conducted with the help of a leading third-party firm to determine data types and the extent of exposure.
If customer information is found within the leaked material, affected individuals will be notified promptly.
Checkmarx has pledged to share additional details within a short window as the investigation advances.

Current Status and Implications

The incident underscores the risk of supply-chain-style intrusions where downstream credentials enable unauthorized access to internal repositories.
While the published data is linked to the company’s GitHub and not directly described as containing customer data, the full scope remains under review.
The breach illustrates how persistent access can lead to multiple publication events, including both dark-web and clearnet data dissemination.

Context and Related Considerations

The case aligns with broader patterns of extortion-focused hacks that leverage compromised supplier credentials to reach code repositories and development assets.
It highlights the importance of ongoing credential hygiene, repository access controls, and rapid containment after detection of unusual activity.
Ongoing forensic updates will drive the final assessment of data exposure and any downstream risk to customers or partners.

Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data

TechLogHub

April 28, 2026

0 views

Overview

Security researcher and application security company Checkmarx reported that the LAPSUS$ hacking group leaked data stolen from its private GitHub repository.
The initial access is believed to have come from a supply-chain compromise tied to the Trivy vulnerability scanner incident, attributed to TeamPCP, which provided credentials from downstream users.
Malicious code and artifacts were published in March, with further malicious content appearing in April as attackers maintained access.

Background and Context

Checkmarx is an application security firm; the incident centers on their GitHub environment rather than customer-facing databases.
The threat actor used stolen credentials obtained through the Trivy-related incident to gain entry and interact with Checkmarx’s GitHub setup.
The March 23, 2026 compromise is identified as the starting point for the subsequent data exposure and publication on an extortion portal.

Timeline of Key Events

March 23, 2026: Initial breach via compromised credentials accessed Checkmarx’s GitHub repositories, enabling publication of malicious artifacts.
April 22, 2026: Renewed access allowed the attacker to publish additional malicious content, including Docker images, and VSCode/Open VSX extensions for Checkmarx’s KICS security scanner.
April 26–27, 2026: Checkmarx confirms continued activity and data exposure related to the March breach; forensic activity intensifies.
Late April 2026: The LAPSUS$ group posts data on their extortion portal and also makes the 96 GB data pack accessible through clearnet portals, challenging the notion that data was only on the dark web.
Ongoing: Checkmarx, with third-party forensics support, continues to assess what data was exposed and whether any customer information was included.

Data Exposed and Content Scope

Official statements indicate the data released by the attackers originates from Checkmarx’s GitHub repositories and is tied to the March 23 compromise.
The attackers published various artifacts and configuration items, including credentials, keys, tokens, and configuration files.
Checkmarx asserts that no customer information was stored in the GitHub repository implicated in the breach; however, the exact content of the leaked data remains under forensic review.
A 96 GB data pack has been deployed by LAPSUS$, and forensic teams are evaluating the exact nature and reach of the exposure.

Checkmarx’s Response and Forensic Process

Access to the affected GitHub repository has been blocked to contain the incident while the investigation proceeds.
Forensic work is being conducted with the help of a leading third-party firm to determine data types and the extent of exposure.
If customer information is found within the leaked material, affected individuals will be notified promptly.
Checkmarx has pledged to share additional details within a short window as the investigation advances.

Current Status and Implications

The incident underscores the risk of supply-chain-style intrusions where downstream credentials enable unauthorized access to internal repositories.
While the published data is linked to the company’s GitHub and not directly described as containing customer data, the full scope remains under review.
The breach illustrates how persistent access can lead to multiple publication events, including both dark-web and clearnet data dissemination.

Context and Related Considerations

The case aligns with broader patterns of extortion-focused hacks that leverage compromised supplier credentials to reach code repositories and development assets.
It highlights the importance of ongoing credential hygiene, repository access controls, and rapid containment after detection of unusual activity.
Ongoing forensic updates will drive the final assessment of data exposure and any downstream risk to customers or partners.

Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data

Stay Updated

Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data

Stay Updated