Checkmarx Details Supply Chain Attack via Trivy Vulnerability
Checkmarx Details Supply Chain Attack Stemming from Trivy Scanner Vulnerability
Impact Scope
Affected Companies
Industries Affected
Full Report
Executive Summary
Application security testing company Checkmarx has published an update on a sophisticated supply chain security incident. The attack's initial vector is believed to be the 'TeamPCP' attack, which exploited a vulnerability in the Trivy open-source scanner to harvest credentials. These stolen credentials were then used to gain unauthorized access to Checkmarx's GitHub repositories. The attackers proceeded to publish malicious code artifacts, exfiltrate repository data, and ultimately leak the stolen information on a dark web forum. Checkmarx has stressed that its customer production environment is separate and was not affected, and customer data was not exposed.
Incident Timeline
The incident unfolded over several weeks, demonstrating a patient and multi-stage attack:
- March 23, 2026: Initial compromise. Attackers, using credentials stolen via the Trivy scanner vulnerability, gain access to Checkmarx's GitHub environment. On the same day, they publish the first wave of malicious code artifacts.
- March 30, 2026: Data exfiltration occurs. The attackers download data from the compromised GitHub repositories.
- April 22, 2026: A second wave of malicious artifacts is published, indicating the attackers maintained or regained access.
- April 25, 2026: A cybercriminal group (reportedly LAPSUS$ in one source, though this is a common attribution for data leaks) publishes the exfiltrated Checkmarx data on the dark web.
Technical Analysis
This incident is a textbook example of a modern software supply chain attack, involving multiple stages and tools.
- Initial Access - Third-Party Tool Exploit: The attack did not target Checkmarx directly at first. It began by exploiting a vulnerability in a third-party tool, Trivy, used within the development environment. This yielded credentials (
T1190- Exploit Public-Facing Application). - Valid Accounts: The stolen credentials provided the attackers with legitimate access to Checkmarx's GitHub environment (
T1078- Valid Accounts). - Compromise Software Development Environment: The attackers gained direct access to the source code repositories, a highly privileged position (
T1554- Compromise Infrastructure). - Inject Malicious Code: The attackers published malicious artifacts, attempting to poison the software supply chain (
T1195.001- Supply Chain Compromise: Compromise Software Dependencies and Development Tools). - Data Exfiltration: The attackers exfiltrated repository data, likely for extortion, intellectual property theft, or to find further vulnerabilities (
T1537- Transfer Data to Cloud Account).
Impact Assessment
Although Checkmarx asserts that no customer data was exposed, the incident is still highly damaging. The primary impacts are:
- Reputational Damage: As a leading application security company, a security breach of this nature is particularly harmful to its brand and credibility.
- Intellectual Property Risk: The exfiltration of source code repositories could expose proprietary algorithms, internal tools, and future product plans.
- Supply Chain Risk: The attempt to publish malicious artifacts posed a direct threat to any downstream consumers of Checkmarx's open-source projects or build processes.
Checkmarx's response, including retaining incident response firm Mandiant, rotating credentials, and conducting a full code audit, demonstrates a mature approach to handling the breach. The separation between their GitHub environment and customer production environment was a critical security control that prevented a much worse outcome.
IOCs — Directly from Articles
No specific Indicators of Compromise were provided in the source articles.
Cyber Observables — Hunting Hints
Organizations should focus on securing their own development pipelines:
Detection & Response
- GitHub Advanced Security: Implement tools like GitHub's code scanning and secret scanning to automatically detect vulnerabilities and exposed credentials in repositories.
- CI/CD Pipeline Monitoring: Monitor CI/CD pipelines for anomalous behavior, such as a build process accessing unusual network resources or a test failing in a strange way.
- Credential Rotation: Have a plan in place for rapid, wide-scale rotation of all credentials associated with the development environment in case of a suspected breach.
Mitigation
- Secure Developer Tools: The initial vector was a vulnerable scanner. It is critical to keep all developer tools patched and securely configured.
- Principle of Least Privilege: Developer accounts on GitHub and other platforms should have the minimum necessary permissions. Use branch protection rules to prevent direct pushes to main branches.
- MFA Everywhere: Enforce mandatory MFA for all developer accounts, especially those with push access to repositories.
- Secret Management: Do not store credentials or secrets in source code. Use a dedicated secret management solution like HashiCorp Vault or AWS/GCP/Azure secret managers.
Timeline of Events
MITRE ATT&CK Mitigations
Code Signing
Implement strict code and artifact signing to ensure the integrity of the build pipeline and prevent unauthorized artifacts.
Multi-factor Authentication
Enforce MFA on all developer accounts, especially for access to source code management systems like GitHub.
Update Software
Ensure all third-party developer tools, such as the Trivy scanner, are kept up-to-date to patch known vulnerabilities.
Privileged Account Management
Apply the principle of least privilege to developer permissions within GitHub, using branch protection and code owner rules.
D3FEND Defensive Countermeasures
The Checkmarx incident originated from a vulnerability in a third-party tool, Trivy. This underscores the critical importance of maintaining a comprehensive and timely software update process for all tools within the software development lifecycle (SDLC). Organizations must have a robust vulnerability management program that not only scans production applications but also all developer tools, libraries, and CI/CD components. A patch for the Trivy vulnerability would have prevented the initial credential harvesting, stopping the attack chain before it began. This requires a full software bill of materials (SBOM) for the development environment and automated scanning to detect and prioritize vulnerable components.
Even though credentials were stolen, enforcing phishing-resistant Multi-factor Authentication on Checkmarx's GitHub organization could have served as a critical backstop. If an attacker possesses a valid password but cannot produce the second factor (e.g., a FIDO2 security key), the login attempt fails. All organizations must enforce mandatory MFA for their source code management systems. This is not just a best practice; it is an essential control to protect the crown jewels of a software company—its source code. Relying on passwords alone for such a critical asset is no longer a defensible security posture.
In the context of a software supply chain attack, System File Analysis extends to 'source code analysis' and 'artifact analysis'. Checkmarx should (and likely does) implement automated scanning within their CI/CD pipeline to detect secrets, keys, or other sensitive information accidentally committed to their GitHub repositories. Furthermore, monitoring for unexpected changes to critical build files (e.g., GitHub Actions workflows, Dockerfiles) can detect an attacker's attempt to inject malicious code. By continuously analyzing the files that constitute the software and its build process, organizations can detect unauthorized modifications intended to create a downstream compromise.
Timeline of Events
Attackers gain initial access to Checkmarx's GitHub and publish the first wave of malicious artifacts.
Attackers exfiltrate data from the compromised GitHub repositories.
A second wave of malicious artifacts is published by the attackers.
A cybercriminal group publishes the stolen Checkmarx data on the dark web.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.