Checkmarx GitHub repo data appears on dark web after supply-chain breach

TL;DR - A cybercriminal group has published Checkmarx-related data to the dark web. Third-party forensics trace the source to a Checkmarx GitHub repository, accessed via the March 23, 2026 supply-chain attack. The repo is now locked down. No customer data is confirmed exposed yet, but the investigation is ongoing.

What happened

Checkmarx builds application security testing tools that sit directly inside CI/CD pipelines and developer workflows - which is exactly why a supply-chain incident involving their own infrastructure deserves attention.

In an update published April 27, 2026, Checkmarx disclosed that a cybercriminal group has posted data related to Checkmarx on the dark web. Third-party forensic investigators believe the data originated from a Checkmarx GitHub repository, and that the initial access was obtained through the supply-chain attack on March 23, 2026.

Checkmarx says the affected GitHub repository is maintained separately from its customer production environment and does not store customer data. The forensic investigation is ongoing to verify the scope and nature of what was posted. Access to the repository has been locked down, and Checkmarx has committed to notifying customers immediately if evidence of customer data exposure emerges.

When an attacker reaches a vendor's source repositories, the follow-on risk is typically exposure of build automation, signing material, or credentials that bridge into downstream developer platforms. For teams embedding AppSec tools into their pipelines, that is the vector worth watching.

Who is impacted

• Checkmarx customers and partners waiting on scope confirmation and any direct notifications from Checkmarx.
• Engineering teams that integrate Checkmarx products into CI/CD pipelines, who may need to act quickly if customer-side impact is confirmed.
• Checkmarx's own security and engineering teams actively scoping and containing the GitHub repository exposure.

What to do now

• Monitor Checkmarx communications closely - the company has committed to direct customer notification if impact is confirmed. Track updates via the Checkmarx blog and your account contacts.
• Open a support case through Checkmarx's Support Portal if you need help assessing your specific exposure.
• Prepare for rapid response now, before any confirmation:
  • Inventory every Checkmarx-integrated pipeline and identify all associated service accounts, tokens, and API keys.
  • Verify you can execute credential rotation quickly - know the process before you need it.
  • Review recent CI/CD configuration changes tied to Checkmarx integrations for anything unexpected.

Additional Information

• Checkmarx update (this item): https://checkmarx.com/blog/checkmarx-security-update-april-26/
• Previous update (April 23, 2026): https://checkmarx.com/blog/checkmarx-security-update-april-22/
• Previous update (March 24, 2026): https://checkmarx.com/blog/checkmarx-security-update/