Checkmarx confirms its source code, employee database, and cloud credentials were posted on the dark web after the March supply-chain attack

Checkmarx confirmed Friday that data from its private GitHub repository was posted on the dark web following the March 23 TeamPCP supply-chain attack. The LAPSUS$ group published the dump, which includes Checkmarx source code, an employee database, API keys, and MongoDB and MySQL credentials. Checkmarx says the affected GitHub repository was separate from the customer Checkmarx One SaaS production environment, with no customer data stored in it. The bigger picture: an attack that started by poisoning a single GitHub Action 35 days ago has now produced a full source code, credentials, and employee data leak - under five weeks end to end.

Check

If your team uses Checkmarx KICS or AST GitHub Actions, the Checkmarx Open VSX extensions, or any Checkmarx self-hosted product, rotate every credential issued during March.

Affected

Organizations using Checkmarx KICS or AST GitHub Action versions pulled between 12:58 and 16:50 UTC on March 23. Checkmarx Open VSX extensions ast-results 2.53.0 and cx-dev-assist 1.7.0. Any environment where Checkmarx-issued API keys reach cloud accounts, repos, or CI/CD secret stores - those credentials may be in the leak.

Fix

Rotate every credential, API key, and integration token that touched Checkmarx tooling in March. Audit GitHub Actions logs for outbound traffic to checkmarx[.]zone or audit.checkmarx.cx. Pin GitHub Actions to immutable commit SHAs rather than version tags. Treat any Checkmarx-issued auth token from March as burned and reissue. Watch for follow-up phishing referencing real Checkmarx employees.