Checkmarks has revealed that its ongoing investigation into a supply chain security incident has revealed that a cybercriminal group has published company-related data on the dark web.
The Israeli security company said, “Based on existing evidence, we believe this data originated from Checkmarks’ GitHub repository, and access to that repository was facilitated through the initial supply chain attack of March 23, 2026.”
It also emphasizes that the GitHub repository is maintained separately from its customer production environment, adding that no customer data is stored in the repository. Checkmarx said its forensic investigation into the incident is ongoing and it is actively working to verify the nature and scope of the data posted.
Additionally, the company said it has shut down access to the affected GitHub repositories as part of its incident response efforts.
“If we determine that this incident involved customer information, we will immediately notify customers and all relevant parties,” it added.
This development comes after Dark Web Informer shared in an X post that the LAPSUS$ cybercrime group has claimed three victims on its data leak site, one of which includes Checkmarks. According to the listing the data includes source code, employee databases, API keys, and MongoDB/MySQL credentials.
Checkmarks suffered a breach late last month following a Trivi supply chain attack that resulted in two of its GitHub Actions workflows and two plugins distributed through the Open VSX Marketplace being compromised, enabling a credential stealer to collect a wide range of developer secrets. The threat actor known as TeamPCP claimed responsibility for the attack.
Last week, a financially motivated group is suspected of compromising Checkmark’s KICS Docker image, as well as two VS Code extensions and GitHub Actions Workflow with a similar credential-stealing malware. This, in turn, had widespread impact, leading to a brief compromise of the Bitwarden CLI npm package.
