SailPoint Discloses Breach of GitHub Repositories via Third-Party App Flaw
SailPoint disclosed that attackers gained unauthorized access to a subset of its GitHub repositories after exploiting a vulnerability in a third-party application. The company said it detected the activity on April 20, contained the intrusion, terminated the unauthorized access, and remediated the underlying issue. In an SEC 8-K filing and public statements, SailPoint said its investigation, supported by an external incident response firm, found no evidence that customer data in production or staging environments was accessed and no service disruption occurred; the company also said it directly notified affected customers and does not currently require further customer action.
The company did not specify which repositories were affected or what information may have been exposed, leaving open questions about whether source code, configuration data, secrets, or architectural details were accessed. Outside experts said repository access can provide valuable reconnaissance for future identity-focused supply chain attacks, noting that the full impact of similar breaches at firms such as Okta, LastPass, and CircleCI only became clearer over time.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
SailPoint publicly discloses GitHub repository breach
On May 8, 2026, SailPoint disclosed the incident in a public filing and said affected customers had been directly notified. The company stated that it did not currently require further customer action and provided limited technical detail about what may have been exposed from the repositories.
SailPoint contains breach and remediates third-party vulnerability
After detecting the incident, SailPoint said it quickly terminated the unauthorized activity, contained the breach, and remediated the root cause. Its investigation, supported by an external incident response firm, found no evidence that customer data in production or staging environments was accessed and no service disruption occurred.
Attackers access SailPoint GitHub repositories via third-party app flaw
On April 20, 2026, SailPoint detected unauthorized access to a subset of its GitHub repositories. The company attributed the intrusion to exploitation of a vulnerability in a third-party application.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Checkmarx Confirms Dark Web Leak of Data Taken From Internal GitHub Repository
Checkmarx said data stolen during its March supply chain intrusion has been published on the dark web, with investigators tracing the exposure to a corporate GitHub repository accessed during the initial attack. The company said the affected repository was part of its developer environment, not its customer production environment, and that current evidence indicates customer data was not stored there and remains unaffected. The disclosure follows reports that **LAPSUS$** listed Checkmarx on its leak site and claimed to possess source code, an employee database, API keys, and `MongoDB` and `MySQL` credentials. Checkmarx said it has locked down access to the repository and is continuing forensic analysis to determine exactly what source code or internal documentation was exfiltrated, while warning that the incident is part of a broader supply chain attack chain that also involved tampered GitHub Actions workflows, Open VSX plugins, and other developer tooling tied to the earlier compromise.
May 12, 2026
Red Hat GitLab Breach by Crimson Collective Exposes Sensitive Data and Credentials
Red Hat confirmed a significant security incident after hackers from a group calling themselves "Crimson Collective" breached the company's GitLab instance. The attackers reportedly exfiltrated nearly 570GB of data, including approximately 800 Customer Engagement Reports spanning from 2020 to 2025. These reports are believed to contain sensitive information such as infrastructure details, authentication tokens, database URIs, and other credentials that could potentially allow unauthorized access to customer networks. In addition to the reports, the attackers claim to have stolen 28,000 private repositories, which included credentials, CI/CD secrets, pipeline configurations, VPN profiles, and infrastructure blueprints. The breach has raised concerns about the exposure of confidential customer and internal Red Hat data, as well as the potential for downstream attacks leveraging the stolen information. Analysis of the leaked data suggests that the attackers obtained a wide array of sensitive materials that could be used for further exploitation or sold on underground forums. The incident highlights the risks associated with source code management platforms and the importance of securing CI/CD pipelines and repository access. Red Hat has acknowledged the breach and is conducting an internal investigation to assess the full scope and impact. The company is working with affected customers to mitigate risks and has likely initiated incident response protocols, including credential rotation and infrastructure reviews. Security experts warn that the exposure of such a large volume of sensitive data could have long-term repercussions for both Red Hat and its customers, especially if the information is weaponized by other threat actors. The breach underscores the need for robust access controls, regular security audits, and rapid response capabilities in managing source code and customer data. Industry observers are closely monitoring the situation for signs of further exploitation or public release of the stolen data. The incident serves as a stark reminder of the evolving threat landscape and the persistent targeting of technology vendors by sophisticated cybercriminal groups. Organizations are advised to review their own security postures, especially regarding third-party software providers and supply chain dependencies, in light of this breach.
Mar 21, 2026
Trellix Investigates Unauthorized Access to Internal Source Code Repository
Trellix disclosed that attackers gained unauthorized access to part of its internal source code repository and said it immediately engaged external forensic experts and notified law enforcement. The cybersecurity vendor reported that its investigation had found **no evidence** that the release or distribution pipeline was compromised, that customer-facing products were tampered with, or that the accessed code had been exploited in the wild, but the inquiry remains ongoing. The incident is significant because Trellix is a major endpoint security and XDR provider formed from the merger of McAfee Enterprise and FireEye, with products used by governments and large enterprises. Public reporting said key details remain unclear, including the intruder's identity, the initial access vector, dwell time, which products or codebases were affected, and whether any additional data was exfiltrated; security observers warned that exposed source code can aid vulnerability discovery, reveal defensive logic, and create potential downstream supply-chain risk even without confirmed product compromise.
May 25, 2026