Overview
- Checkmarx, which confirmed Tuesday that LAPSUS$ leaked data from its private GitHub repository, says the access came from a March 23 supply-chain attack.
- Researchers tie the breach to TeamPCP, which stole CI/CD pipeline secrets from the Trivy scanner and then used them to push malicious changes into Checkmarx’s KICS tool, GitHub Actions workflows, and Open VSX plugins for code editors.
- After early cleanup, attackers retained or regained access and on April 22 published tainted KICS Docker images and extensions that planted credential-stealing code, which briefly spread to Bitwarden’s command-line tool used by many teams.
- Checkmarx says data was exfiltrated March 30, and LAPSUS$ has posted a 96GB archive on dark-web and public sites that it claims holds source code, API keys, database logins, and employee records.
- The company has locked affected repos, rotated credentials, hired Mandiant, and alerted law enforcement, while saying the GitHub data sits apart from customer production systems and that it will notify customers if any customer data is found.