In March 2026, Checkmarx's GitHub environment was compromised following a supply chain attack originating from the Trivy incident. Attackers hijacked GitHub Action version tags and poisoned OpenVSX plugins to inject malware without visible code changes. The threat actors, linked to TeamPCP and Lapsus$, accessed sensitive data including source code and credentials. Despite initial remediation steps, attackers maintained or regained access, continuing to publish malicious code and ultimately leaking a 96GB archive of stolen data. Checkmarx responded by removing malicious packages, rotating credentials, blocking attacker infrastructure, notifying law enforcement, retaining Mandiant for investigation, and conducting a code audit. The company reports the breach is contained and is completing its investigation.

The attack resulted in the theft of sensitive data including source code, employee databases, API keys, and database credentials from Checkmarx's GitHub repositories. The compromise affected the integrity of open source software supply chains and exposed critical internal assets. The public leak of a large data archive increases the risk of further exploitation or secondary attacks. The incident also impacted the Bitwarden CLI NPM package, a widely used open source password management tool, potentially affecting its users.

Checkmarx has removed malicious packages, revoked and rotated compromised credentials, blocked outbound access to attacker infrastructure, and locked down GitHub repository access. The company has engaged law enforcement and cybersecurity experts (Mandiant) and is conducting a thorough code audit. These remediation steps have contained the unauthorized access. Organizations using affected open source components should monitor vendor advisories for updates. Patch status is not explicitly stated; check Checkmarx advisories for ongoing remediation guidance.