Checkmarx Confirms Dark Web Leak of Data Taken From Internal GitHub Repository
Checkmarx said data stolen during its March supply chain intrusion has been published on the dark web, with investigators tracing the exposure to a corporate GitHub repository accessed during the initial attack. The company said the affected repository was part of its developer environment, not its customer production environment, and that current evidence indicates customer data was not stored there and remains unaffected.
The disclosure follows reports that LAPSUS$ listed Checkmarx on its leak site and claimed to possess source code, an employee database, API keys, and MongoDB and MySQL credentials. Checkmarx said it has locked down access to the repository and is continuing forensic analysis to determine exactly what source code or internal documentation was exfiltrated, while warning that the incident is part of a broader supply chain attack chain that also involved tampered GitHub Actions workflows, Open VSX plugins, and other developer tooling tied to the earlier compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Malicious Checkmarx Jenkins plugin uploaded to Jenkins Marketplace
On 2026-05-09, a rogue version of Checkmarx's Jenkins Application Security Testing plugin (2026.5.09) was published to the Jenkins Marketplace outside the normal release pipeline, containing credential-stealing malware. Checkmarx attributed the activity to TeamPCP, warned users to avoid the version, rotate secrets if installed, and published indicators of compromise.
Checkmarx confirms repository data was published on the dark web
Checkmarx disclosed that its investigation found company-related data had been published on the dark web and said the exposed material likely came from the GitHub repository accessed during the March 23 incident. The company stated it had locked down the affected repository, launched forensic analysis, and said current evidence indicates customer data was not stored there and remains unaffected.
LAPSUS$ leak-site post alleges Checkmarx data theft
After the March 23 attack, reporting indicated the LAPSUS$ cybercrime group listed Checkmarx on its leak site, claiming to possess source code, an employee database, API keys, and MongoDB/MySQL credentials. This represented a public claim that data stolen from Checkmarx was being offered or exposed.
Checkmarx links breach to Trivy/TeamPCP and finds second malicious wave
Checkmarx said its March 23, 2026 incident likely originated from the Trivy supply chain attack previously tied to TeamPCP, with attackers harvesting credentials to access GitHub repositories. The company also identified a second wave of malicious artifacts on April 22, indicating continued or renewed attacker access before related data appeared on the dark web.
Checkmarx suffers supply chain attack affecting developer environment
On March 23, 2026, Checkmarx said attackers compromised its systems in a supply chain incident and accessed a corporate GitHub repository by bypassing security controls. The affected repository was described as separate from the customer production environment.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Official CheckMarx Jenkins package compromised with infostealer
bleepingcomputer.com
Open sourceUpdate: Ongoing Checkmarx Supply Chain Security Incident
checkmarx.com
Open sourceCheckmarx Supply-Chain Attack 2026: How 40-Day Breach Exposed Security - Business 2.0 News
business20channel.tv
Open sourceCheckmarx Confirms GitHub Repository Data Published on Dark Web
cybersecuritynews.com
Open sourceOngoing supply-chain attack targets security, dev tools
theregister.com
Open sourceCheckmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Lapsus$ Claims AstraZeneca Breach Exposed Source Code and Internal Credentials
Lapsus$ claimed it breached **AstraZeneca** and published allegedly stolen data on its blog and a dark web leak forum, with reports saying the cache includes full source code, employee databases, GitHub Enterprise user data, internal API keys, AWS keys, service accounts, and `MongoDB` and `MySQL` credentials. Researchers who reviewed sample files said parts of the leak appeared credible, citing source code tree structures, GitHub user information, employee details tied to AstraZeneca-related clinical research companies, and GitHub Actions logs containing developer email addresses and hardcoded secrets, including RSA private keys and database credentials. The exposed material appears to be concentrated on AstraZeneca’s technical infrastructure and employee information rather than patient medical records, but the incident raises immediate risks if any leaked credentials remain active. Valid keys and account data could enable follow-on intrusions into AstraZeneca systems, targeted phishing and social engineering against staff, and deeper analysis of proprietary code and internal environments by attackers seeking intellectual property or additional access.
May 25, 2026
Dark Web Leak Claims Target Multiple Organizations, Including Salesfloor and Republic
Dark web monitoring reports surfaced multiple **alleged data leaks** affecting unrelated organizations, with several listings offering databases for sale or direct download. Reports claim **Republic (republic.com)** user data (~4.94M users) was listed for sale for **$2,400**, allegedly including names, emails, physical addresses, and phone numbers. Separate dark web listings also alleged exposure of **rueducommerce.fr** user data (linked in reporting to **Carrefour**) totaling ~2.17M records with similar PII, as well as alleged leaks involving **Dunzo** (~3.4M records) and **Menulux** (~93K records). Additional reporting highlighted a historical breach dataset for the **YouHack** forum (2013; ~107K users) containing usernames, emails, passwords, IPs, posts, and private messages, and a smaller exposure tied to **buylottoonline.com** (~38.5K email records). One of the most consequential claims involved **Salesfloor / People Powered E-Commerce (salesfloor.net)**, attributed in reporting to **LAPSUS$**, alleging theft of roughly **4 TB uncompressed** (1 TB compressed) data including **source code, logs, and customer information**, with potential downstream impact to retail brands using the platform. Separately from the dark-web-leak theme, other items in the set describe distinct vulnerability-driven risks rather than breach listings: **Zoom Node MMRs** command injection (**CVE-2026-22844**, CVSS 9.9) enabling arbitrary code execution in certain hybrid meeting deployments; **SmarterMail** auth bypass (**CVE-2026-23760**) enabling admin password reset via `force-reset-password` and potential RCE; **Vite** improper access control (**CVE-2025-31125**) enabling sensitive file exposure via query parameters such as `?inline&import` / `?raw&import` (noted as added to CISA KEV); and **Appsmith** password-reset token exposure (**CVE-2026-22794**) enabling account takeover, with internet-exposed instances identified via Shodan and remediation via upgrade to *Appsmith* 1.93. These vulnerability reports are separate from the dark web leak claims and should be tracked as independent patching priorities rather than as part of a single breach event.
Mar 21, 2026
SailPoint Discloses Breach of GitHub Repositories via Third-Party App Flaw
SailPoint disclosed that attackers gained unauthorized access to a subset of its GitHub repositories after exploiting a vulnerability in a third-party application. The company said it detected the activity on April 20, contained the intrusion, terminated the unauthorized access, and remediated the underlying issue. In an SEC `8-K` filing and public statements, SailPoint said its investigation, supported by an external incident response firm, found no evidence that customer data in production or staging environments was accessed and no service disruption occurred; the company also said it directly notified affected customers and does not currently require further customer action. The company did not specify which repositories were affected or what information may have been exposed, leaving open questions about whether source code, configuration data, secrets, or architectural details were accessed. Outside experts said repository access can provide valuable reconnaissance for future identity-focused supply chain attacks, noting that the full impact of similar breaches at firms such as Okta, LastPass, and CircleCI only became clearer over time.
May 11, 2026