Checkmarx, a leading application security testing platform trusted by thousands of enterprises worldwide, has confirmed that data originating from its GitHub repositories has been posted on the dark web following the investigation into a March 23, 2026 supply chain security incident.
In an updated statement published this week, Checkmarx said: "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that access was obtained during the March 23 incident."
Background: The March 23 Supply Chain Attack
The March 23 incident was part of a broader supply chain campaign that security researchers subsequently linked to malicious KICS Docker images and compromised VS Code extensions. Checkmarx's KICS (Keeping Infrastructure as Code Secure) is an open-source static analysis tool widely used in DevSecOps pipelines to scan infrastructure-as-code files for misconfigurations.
Researchers at several security firms identified that a threat actor had managed to push malicious versions of KICS-related Docker images to public registries. These images contained embedded backdoors designed to exfiltrate environment variables, credentials, and repository contents from CI/CD environments where the images were executed.
The VS Code extension component of the campaign targeted developers who had installed certain security-focused extensions from the VS Code marketplace, some of which were compromised through credential theft from the extension publishers' accounts.
What Was Exposed
Checkmarx confirmed that the dark web posting contains data it believes originated from its GitHub repositories, but stated that its investigation is ongoing. The company has not provided a complete inventory of what was included in the leaked data.
Based on analysis of the posting by third-party threat intelligence researchers, the data reportedly includes:
- Internal source code files and configuration samples
- Documentation and internal tooling scripts
- Commit history metadata including contributor information
- Portions of internal CI/CD pipeline configurations
Checkmarx stated it has found no evidence that customer scan results, vulnerability reports, or application source code submitted by customers for analysis was included in the leaked data. The company is working with external forensic investigators to validate this assessment.
Scope of Impact
The broader supply chain campaign affected multiple organizations that integrated KICS or related Checkmarx tooling into their development workflows. Security teams at affected organizations were advised to:
- Audit CI/CD pipeline logs for execution of compromised KICS Docker image versions
- Rotate all credentials and secrets present in environments where the compromised images executed
- Review any VS Code extension permissions granted in developer environments
- Check for unexpected outbound network connections from build environments
The window of exposure for the malicious Docker images ran from approximately March 18 through March 24, when Checkmarx and registry operators took action to remove the compromised versions.
Threat Actor Attribution
Attribution for the campaign remains uncertain. The technical characteristics of the attack — including the use of compromised publisher credentials, the targeting of security tooling to maximize downstream reach, and the data exfiltration methodology — are consistent with tactics used by several threat groups active in supply chain operations.
Some researchers have noted overlaps with infrastructure previously associated with campaigns targeting open-source security tools, though no definitive attribution has been made public.
Checkmarx Response
Checkmarx stated it is:
- Conducting a comprehensive review of access controls on its GitHub repositories and publishing infrastructure
- Enhancing monitoring across its software supply chain
- Engaging with customers to provide guidance on assessing their own exposure
- Cooperating with law enforcement agencies investigating the incident
The company said it will provide further updates as the investigation progresses.
Broader Supply Chain Implications
The Checkmarx incident illustrates a pattern that has become increasingly common: threat actors targeting security vendors and tooling providers specifically because compromising these systems provides a force-multiplier effect. A breach of an application security tool potentially grants access to vulnerability data and code from every customer organization that uses the platform.
Organizations should treat any third-party security tooling with the same scrutiny applied to other dependencies, including verifying image digests, monitoring for unexpected behavior in build environments, and maintaining rollback capabilities for pipeline tooling.