Checkmarx confirms LAPSUS$ leaked 96GB of stolen GitHub data via Trivy supply-chain hit

Checkmarx has confirmed that data dumped by LAPSUS$ on its extortion portal was pulled from the company’s private GitHub repositories, traced back to the March 23 Trivy supply-chain compromise attributed to TeamPCP. Stolen downstream credentials from that incident gave attackers a path into Checkmarx’s GitHub environment, where they planted malicious code in artifacts including Docker images and VSCode/Open VSX extensions for the KICS scanner — payloads designed to harvest credentials, keys, tokens, and config files when run by users.

The attackers either retained persistence or regained access through April 22, indicating the original intrusion was not contained. The 96GB leak is now circulating on both dark-web and clearnet portals. Checkmarx says customer data is not stored in the affected repos but has engaged a third-party forensic firm to verify scope, locked down the repository, and committed to notifying any individuals whose data surfaces in the dump.

The chain — Trivy compromise feeding credentials into a downstream security vendor, which then ships poisoned artifacts to its own users — illustrates how a single supply-chain foothold can cascade through the security tooling ecosystem itself, turning defensive products into delivery vehicles.