Checkmarx: GitHub repo data posted on dark web

Checkmarx disclosed that files from a GitHub repository were posted on dark‑web sites after a supply‑chain attack on March 23. The company locked the repository and opened a forensic investigation.

The ongoing probe found a cybercriminal group published material linked to Checkmarx on data‑leak sites. Current evidence indicates the files came from the company’s GitHub repository and that access to that repository was gained through the March 23 incident.

The GitHub repository is maintained separately from Checkmarx’s customer production environment and does not contain customer data, the company noted. Access to the affected repository has been restricted while investigators verify the nature and scope of the posted files.

The company added in its statement:

“If we determine that customer information was involved in this incident, we will notify customers and all relevant parties immediately.”

Listings connected to the incident claim the leaked content includes source code, an employee database, API keys and credentials for MongoDB and MySQL instances. A known extortion‑focused cybercrime group publicly listed Checkmarx among alleged victims on a data‑leak site.

The disclosure follows a late‑March compromise linked to the Trivy supply‑chain attack. Checkmarx reported that two GitHub Actions workflows and two plugins distributed through the Open VSX marketplace were altered to deliver a credential‑stealing payload designed to harvest developer secrets.

A threat actor using the name TeamPCP claimed responsibility for the initial tampering. Security researchers later identified related infections that touched Checkmarx’s KICS Docker image, two Visual Studio Code extensions and another GitHub Actions workflow. Those infections briefly affected the Bitwarden CLI npm package.

Credential‑stealing malware typically scans developer environments for stored secrets such as environment variables, configuration files and local credential stores to capture keys and tokens that can be reused to access other systems or cloud resources.

Checkmarx has not provided a timetable for completing the forensic review. The company will inform customers and other relevant parties if investigators confirm that customer information was exposed.