Executive Summary
In March 2026, application security firm Checkmarx experienced a significant security breach when the LAPSUS$ threat group exploited credentials obtained from the Trivy supply chain attack, attributed to TeamPCP. This access allowed the attackers to infiltrate Checkmarx's GitHub repositories, leading to the publication of malicious code and the subsequent leak of sensitive data. The compromised data, totaling 96GB, was later made available on both dark web and clearnet platforms. Checkmarx has confirmed that the leaked data originated from their GitHub repository and is actively investigating the incident to assess the full scope of the breach.
This incident underscores the escalating threat posed by supply chain attacks, where compromising a single component can have cascading effects across multiple organizations. The Checkmarx breach highlights the critical need for robust security measures within development pipelines and the importance of securing third-party tools to prevent unauthorized access and data exfiltration.
Why This Matters Now
The Checkmarx breach exemplifies the growing sophistication of supply chain attacks, emphasizing the urgent need for organizations to fortify their development environments and implement stringent security protocols to safeguard against such pervasive threats.
Attack Path Analysis
The attack began with the compromise of Trivy, an open-source vulnerability scanner, by TeamPCP, leading to the theft of credentials from downstream users. Using these stolen credentials, the attackers accessed Checkmarx's GitHub repositories, escalating their privileges to publish malicious code. They then moved laterally within the environment, modifying Docker images and VSCode extensions associated with Checkmarx's KICS security scanner. The attackers established command and control by embedding malicious code into these artifacts, enabling remote access. Subsequently, they exfiltrated sensitive data, including source code and credentials, from Checkmarx's repositories. Finally, the LAPSUS$ group publicly leaked the stolen data, causing reputational damage and potential security risks for Checkmarx and its clients.
Kill Chain Progression
Initial Compromise
Description
TeamPCP compromised Trivy, an open-source vulnerability scanner, leading to the theft of credentials from downstream users.
MITRE ATT&CK® Techniques
Valid Accounts
Unsecured Credentials: Credentials in Files
Application Layer Protocol: Web Protocols
Phishing: Spearphishing Attachment
Supply Chain Compromise: Compromise Software Supply Chain
Modify Authentication Process: Domain Controller Authentication
Obfuscated Files or Information
File and Directory Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks targeting GitHub repositories directly threaten software development workflows, source code integrity, and credential security across development environments.
Computer/Network Security
Security vendors face elevated supply chain risks as compromised tools like KICS scanner and Docker images can propagate malicious code to downstream customers.
Information Technology/IT
IT organizations using compromised development tools and containers face credential theft, unauthorized access, and potential lateral movement through encrypted traffic vulnerabilities.
Financial Services
Financial institutions require robust egress security and zero trust segmentation to prevent data exfiltration when using third-party development and security scanning tools.
Sources
- Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub datahttps://www.bleepingcomputer.com/news/security/checkmarx-confirms-lapsus-hackers-leaked-its-stolen-github-data/Verified
- Supply Chain Security Incident Updatehttps://checkmarx.com/blog/supply-chain-security-incident-update/Verified
- Guidance for detecting, investigating, and defending against the Trivy supply chain compromisehttps://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting unauthorized lateral movements and data exfiltration within cloud environments.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The Aviatrix CNSF could have limited the attacker's ability to exploit compromised credentials by enforcing strict identity-based access controls, thereby reducing unauthorized access to critical systems.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have restricted the attacker's ability to escalate privileges by enforcing least-privilege access policies, thereby limiting unauthorized modifications to repositories.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited the attacker's lateral movement by monitoring and controlling internal traffic, thereby reducing unauthorized modifications to internal artifacts.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have identified and constrained unauthorized command and control channels by providing comprehensive monitoring across cloud environments, thereby reducing the attacker's ability to maintain remote access.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited data exfiltration by monitoring and controlling outbound traffic, thereby reducing unauthorized data transfers.
While Aviatrix Zero Trust CNSF may not have prevented the initial data theft, its controls could have limited the scope of data accessible to attackers, thereby reducing the volume of information available for public disclosure.
Impact at a Glance
Affected Business Functions
- Software Development
- Product Security
- Customer Support
Estimated downtime: 7 days
Estimated loss: $500,000
Internal source code and proprietary information; no customer data reported as exposed.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access and limit lateral movement within the network.
- • Enforce East-West Traffic Security to monitor and control internal communications, preventing unauthorized data transfers.
- • Deploy Egress Security & Policy Enforcement to filter outbound traffic and block unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into cloud environments and detect anomalies.
- • Apply Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
