Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub information

Utility safety corporate Checkmarx has showed that the LAPSUS$ risk team leaked information stolen from its personal GitHub repository.

Even supposing the investigation is ongoing, Checkmarx believes that the get admission to vector used to be the Trivy supply-chain assault attributed to the hacker team referred to as TeamPCP. which supplied get admission to to credentials from downstream customers.

The usage of stolen credentials bought from the Trivy incident, the risk actor used to be in a position to get admission to Checkmarx’s GitHub repositories and post malicious code on March 23.

“Because of that get admission to, the attackers had been in a position to have interaction with Checkmarx’s GitHub atmosphere and due to this fact post malicious code to sure artifacts,” the corporate explains.

On April 22, because of their renewed get admission to or month-long endurance, the attacker revealed malicious Docker photographs, VSCode and Open VSX extensions for Checkmarx’s KICS safety scanner, which stole credentials, keys, tokens, and config recordsdata.

In an replace the day prior to this, the corporate showed that the information that the LAPSUS$ team revealed on their extortion portal belonged to Checkmarx and originated from the March 23 compromise.

“Our investigation, carried out with fortify from a number one third-party forensic company, signifies {that a} cybercriminal team has revealed information associated with Checkmarx to the darkish internet,” reads the replace.

“According to present proof, we consider this information originated from Checkmarx’s GitHub repository, and that get admission to to that repository used to be facilitated in the course of the preliminary delivery chain assault of March 23, 2026.”

Even supposing Checkmarx and different media shops reported that this information used to be leaked at the darkish internet, BleepingComputer has discovered that LAPSUS$ has additionally made the 96GB information pack to be had via clearnet portals.

BleepingComputer has now not tested the content material of the leaked information, however Checkmarx confident that it does now not comprise buyer data, as this isn’t saved within the corporate’s GitHub repository.

A forensic investigation is underway to decide the precise form of information that has been uncovered.

The corporate states that, if buyer data is located within the leaked information, affected people shall be notified straight away.

Get right of entry to to the affected GitHub repository has been blocked till the investigation is whole. Checkmarx estimates that it is going to have the ability to proportion extra main points inside the subsequent 24 hours.