Supply Chain Fallout: LAPSUS$ Leaks 96GB of Stolen Checkmarx Data Following TeamPCP Breach

Checkmarx is grappling with a distressing sequel to its March security breach, as data exfiltrated from a private GitHub repository has surfaced in the possession of the LAPSUS$ collective. The organization posits that the incursion originated from a supply chain offensive involving Trivy, with initial ingress facilitated by compromised administrative credentials.

According to the Checkmarx post-mortem, the credential theft is attributed to an operation linked to the TeamPCP group. Having secured access to the firm’s GitHub repositories on March 23, the adversaries successfully manipulated the build environment and surreptitiously embedded malicious code within several artifacts.

One month later, the crisis underwent a critical escalation. On April 22, the assailants disseminated compromised Docker images, alongside VS Code and Open VSX extensions for the KICS security scanner. These components were meticulously engineered to harvest credentials, cryptographic keys, tokens, and configuration files from unsuspecting users.

Checkmarx has confirmed that the telemetry published by LAPSUS$ is indeed authentic and, per the ongoing investigation, stems from the GitHub repository breached in March. This forensic inquiry is being conducted with the support of a specialized third-party digital forensics firm.

While Checkmarx and various media outlets initially associated the leak with dark web forums, BleepingComputer reports that LAPSUS$ also distributed a 96 GB archive via publicly accessible clearnet platforms. The specific contents of this vast data cache remain unverified by independent parties.

Checkmarx maintains that client information should remain uncompromised, as such sensitive data is not housed within their GitHub repositories. Nevertheless, the audit remains ongoing; should the investigation unearth client-specific records among the published materials, the company has pledged to notify affected parties directly. Access to the impacted repository remains suspended pending the final conclusion of the investigation, with further disclosures expected imminently.