Security firm Checkmarx is investigating a data breach after the Lapsus$ extortion group claimed to have leaked sensitive source code and credentials stolen from the company's GitHub repositories.

Key Points

• Checkmarx confirmed that attackers accessed its GitHub repositories following a supply chain compromise that originated on March 23, 2026.
• The Lapsus$ extortion group claims to have obtained source code, API keys, and database credentials, which they have posted on their leak site.
• The incident stems from a broader campaign by the group TeamPCP, which previously injected malware into open source tools like Trivy, LiteLLM, and KICS.
• Compromised assets include Checkmarx GitHub Actions, Open VSX plugins, and the Bitwarden CLI, potentially impacting over 50,000 businesses.
• Checkmarx has locked down affected repositories and is currently working to determine if any customer-specific information was exposed.

Why it Matters

This attack highlights a dangerous shift toward targeting high-privilege developer tools that organizations inherently trust to secure their infrastructure. By compromising these essential utilities, attackers gain a force-multiplier effect that allows them to infiltrate thousands of downstream corporate environments simultaneously.