Checkmarx confirms its GitHub repo data is on the dark web
The March supply-chain attack on Checkmarx has produced its second-order disclosure. The interesting question is what their customers' build pipelines were exposed to.
Checkmarx, the application-security vendor whose tooling sits inside the build pipelines of a long list of enterprise customers, has confirmed that data from its 23 March supply-chain compromise has surfaced on the dark web. The Hacker News reports the data appears to have come from Checkmarx’s own GitHub repositories, and a cybercriminal group is openly advertising the dump.
The first-order story here is the one that travels well: a security vendor was breached, and their customer-facing material is now public. That headline lands every time. The second-order story is the one that matters operationally and that very few of the news write-ups are reaching for.
Checkmarx’s KICS infrastructure-as-code scanner appeared in this week’s TeamPCP supply-chain update as one of the tools the cluster has now compromised. KICS is widely deployed. It runs inside customer CI pipelines as a privileged process — it has to, in order to read every line of every infrastructure-as-code file in your repos and emit a security report. The Checkmarx GitHub repos behind it almost certainly contain build secrets, integration tokens, signing keys, and the source code of the very tooling that runs inside customer pipelines. The interesting question for any organisation running a Checkmarx integration is not “is our scanner still working.” It’s “what does the threat actor now know about how our scanner connects to our build, what credentials it carries, and what it has the ability to do once it’s in there.”
The defender response is the same one we’ve been recommending after every security-vendor breach in the last eighteen months, and it never gets less true. Audit any active integration with Checkmarx — or any application-security vendor disclosing a similar incident this year. Rotate API tokens, GitHub access tokens, deploy keys, and any cloud credentials the integration uses. Review what level of repo access the integration was granted; almost certainly it’s broader than today’s threat model says it should be. Assume that whatever assumptions you made about the integration’s blast radius when you set it up — usually some version of “we trust the vendor” — are stale, and tighten them.
A vendor’s source code on the dark web is the headline. The downstream credential and integration graph is the substance.