CHECKMARX confirmed that data theft occurred in its supply chain attack, with exfiltration from its GitHub environment on 30 March 2026, about a week after malicious code was first published. The breach was linked to the Trivy supply chain incident, which allowed attackers to hijack dozens of GitHub Action version tags to reference malware without visible changes.
The compromise was attributed to the TeamPCP hacking group, and around the same period messages from the Lapsus$ extortion group suggested a potential partnership for monetisation. SecurityWeek reports that the data exfiltrated included source code, employee databases, API keys, and credentials for MongoDB and MySQL, as claimed by Lapsus$.
Investigation notes indicate access originated from credentials compromised during the Trivy attack on 23 March 2026 and that the attackers retained or regained access after initial remediation efforts. Checkmarx also disclosed a 96GB archive containing purportedly stolen data and said that, while some access was blocked, the unauthorized access had not been fully contained, with law enforcement notified and Mandiant engaged.