The Checkmarx supply chain nightmare just got worse. The LAPSUS$ cybercrime group has publicly dumped data stolen from the Israeli application security company on its dark web leak site — and Checkmarx has now confirmed it's real.
On April 25, dark web threat intelligence account @DarkWebInformer flagged on X that LAPSUS$ added Checkmarx to its victim roster alongside MAPFRE and Vodafone. The exposed data reportedly includes source code, an employee database, API keys, and database credentials for both MongoDB and MySQL. Security researcher Adnan Khan noted the dump appears to total roughly 95 GB of private Checkmarx data.
In a security update published April 26, Checkmarx VP of Platform Engineering and Global CISO Udi-Yehuda Tamar confirmed the exposure, stating that a third-party forensic investigation points to the data originating from the company's GitHub repository. "Access to that repository was facilitated through the initial supply chain attack of March 23, 2026," the company said. Checkmarx has since locked down access to the affected repository and says its forensic probe is ongoing.
The company was quick to draw a line between the GitHub repo and its customer-facing infrastructure, stressing that the repository is maintained separately from its production environment and does not hold customer data. It pledged immediate notification if that assessment changes.
This is the latest domino to fall from the sprawling TeamPCP supply chain campaign — an operation that we (Cyber Kendra) covered last week when attackers pushed credential-stealing malware into Checkmarx's official KICS Docker images and two VS Code extensions on the Open VSX marketplace.
Hackers also compromise Bitwarden's CLI npm package (@bitwarden/cli version 2026.4.0), leaving it live for roughly 90 minutes — long enough to harvest AWS keys, GitHub tokens, and SSH credentials from any developer who installed it during that window.
TeamPCP has since boasted on BreachForums that it will "chain these compromises into devastating follow-on ransomware campaigns," and the LAPSUS$ publication appears to be exactly that follow-through. The attackers are deliberately targeting the tools developers are told to trust most — security scanners, password managers, and other high-privilege software wired directly into developer pipelines. The RegisterThe Register
If your organization uses Checkmarx tooling, act now:
- Rotate any API keys, tokens, or credentials associated with Checkmarx integrations
- Audit GitHub Actions workflows for unauthorized modifications
- Remove and reinstall any VS Code extensions sourced from Checkmarx or Open VSX during the March–April window
- Block the exfiltration endpoint audit.checkmarx.cx and IP 94.154.172.43 at your perimeter
The investigation is active. Checkmarx says a more detailed update was expected within 24 hours of the April 26 disclosure.