Application security company Checkmarx has confirmed that the LAPSUS$ threat group published malicious code to its GitHub environment on March 23, 2026, exfiltrated data seven days later on March 30, and subsequently leaked it publicly. Organizations that integrate Checkmarx tools into CI/CD pipelines should treat any artifacts pulled from Checkmarx’s GitHub environment during the March 23–30 window as potentially compromised.
What We Know So Far
Checkmarx is a major application security vendor whose scanning tools are embedded in CI/CD pipelines at thousands of enterprises. LAPSUS$ — known for social engineering, SIM swapping, and insider recruitment — gained access to Checkmarx’s private GitHub repositories.
The attack timeline:
– March 23, 2026: LAPSUS$ published malicious code to Checkmarx’s GitHub environment
– March 30, 2026: The group exfiltrated data from the compromised repositories
– Late April 2026: Stolen data was leaked publicly, forcing Checkmarx to confirm the breach
This is consistent with LAPSUS$’s documented playbook: compromise a high-trust vendor’s development infrastructure, plant malicious artifacts, and use the vendor as a supply chain conduit to downstream customers. Previous LAPSUS$ targets include Okta, Microsoft, Samsung, and Nvidia — all chosen for their privileged position in customer environments.
The specific data types exfiltrated have not been fully disclosed by Checkmarx. What makes this particularly significant for security teams is not the data theft itself, but the window during which malicious code existed in Checkmarx’s GitHub environment. Any tool version, scanner binary, or CI/CD integration pulled from that environment between March 23 and March 30 should be treated as potentially tampered until verified against official release checksums.
Checkmarx scanning tools run with elevated access inside build pipelines — the position that makes AppSec vendors such attractive supply chain targets.
What You Should Do Now
-
Audit your CI/CD pipelines for any Checkmarx tool versions or artifacts downloaded between March 23 and March 30, 2026. Compare checksums against Checkmarx’s official releases distributed through their secure channels — not GitHub.
-
Contact Checkmarx directly via their security advisory portal to request the full list of affected repositories and any IOCs associated with the malicious code introduced by LAPSUS$.
-
Review GitHub Actions workflows and Dockerfiles that reference Checkmarx’s GitHub repositories or SHAs pointing to the March 23–30 window. Rebuild those pipeline stages from verified sources.
-
Check pipeline execution logs from March 23–30 for anomalous outbound connections, unexpected process spawns, or privilege escalation events during scanner runs.
-
Audit MFA enforcement and privileged developer access across all accounts with permissions to shared build infrastructure. LAPSUS$ primary vectors are social engineering and account takeover — internal access controls are the key defensive layer.
Sources: SecurityWeek, BleepingComputer
For any query contact us at contact@cipherssecurity.com
Thank you for reading this post, don't forget to subscribe!
Leave feedback about this