Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack

Summary

Checkmarx has confirmed that data from its GitHub repository was leaked on the dark web following a supply chain attack on March 23, 2026. While the company asserts that its customer production environments are isolated from the compromised repository, the leaked data potentially contains sensitive development assets.

Key Points

• The breach originated from a supply chain attack on March 23, 2026, which allowed unauthorized access to Checkmarx's GitHub repository.
• The attack involved the tampering of two GitHub Actions workflows and two plugins distributed via the Open VSX marketplace.
• The injected malware functioned as a credential stealer designed to harvest developer secrets.
• The compromise extended to the KICS Docker image, two VS Code extensions, and a GitHub Actions workflow.
• A cascading impact of the incident resulted in the brief compromise of the Bitwarden CLI npm package.
• Reported leaked data includes source code, employee databases, API keys, and MongoDB/MySQL credentials.

Technical Details

The attack vector utilized a supply chain compromise to inject credential-stealing malware into the development lifecycle. Threat actors, identified as TeamPCP, tampered with GitHub Actions workflows and plugins within the Open VSX marketplace to facilitate the exfiltration of developer secrets. The scope of the compromise included the KICS Docker image and specific VS Code extensions, demonstrating a multi-vector approach to harvesting credentials.

The incident also demonstrated the risks of downstream dependency contamination, as the breach led to a secondary compromise of the Bitwarden CLI npm package. While Checkmarx has locked down access to the affected GitHub repository, the investigation is ongoing to determine the full extent of the exposure regarding API keys and database credentials.

Impact / Why It Matters

Developers using the affected KICS Docker images, VS Code extensions, or Open VSX plugins should immediately audit their environments for unauthorized credential exfiltration. Any API keys, MongoDB/MySQL credentials, or other secrets potentially present in the compromised GitHub workflows must be rotated immediately.