Checkmarx Falls Victim to Credential Harvesting Attack

Checkmarx, a global leader in application security testing, has disclosed a significant breach of its internal systems. The attack originated not from a direct assault, but through a sophisticated supply chain maneuver that leveraged a popular third-party security tool to gain a foothold in the company’s development environment.

The breach has led to the exfiltration of internal data and the temporary distribution of malicious code artifacts, highlighting the extreme risks even top-tier security firms face in the modern software ecosystem.

The trouble began with what Checkmarx describes as the “Trivy Supply Chain Attack”. On March 19, the cybersecurity community began reporting that a vulnerability in the Trivy scanner could be used to harvest credentials from downstream users.

Checkmarx believes this was the key that unlocked their front door: “While we are still investigating the incident, we believe this is the likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories”.

Once inside the GitHub environment, the attackers didn’t just look around; they began to actively tamper with the company’s output.

The intrusion was not a one-time event but a month-long saga involving data theft and persistent access:

• March 23: The incident is officially identified. Attackers push malicious code directly into Checkmarx’s GitHub repository.
• March 30: Attackers successfully exfiltrate data from the compromised repositories.
• April 22: A “second wave” of malicious artifacts is published, indicating that the attackers either maintained persistence or successfully renewed their access.
• April 25: The notorious LAPSUS$ cybercriminal group publishes the stolen Checkmarx data to the dark web.

Upon discovering the breach, Checkmarx immediately launched a containment and remediation effort. The company was quick to note a critical silver lining: customer production environments are maintained separately from the affected GitHub repositories. Furthermore, standard company practice dictates that “we do not store customer data in our GitHub repository”.

Checkmarx remains in the final stages of its investigation and is working to confirm that unauthorized access has been fully contained.