Checkmarx Data Leaked on Dark Web After Supply Chain Attack

Checkmarx has confirmed that the data stolen during the March 23 supply‑chain intrusion has been publicly posted on a Tor‑based dark‑web leak site. The company’s incident response team, working alongside third‑party forensic experts, determined that a threat actor accessed the firm’s internal GitHub repositories and exfiltrated a 2.5 GB archive containing source code, internal commit histories, and a collection of personal access tokens (PATs) used by developers. The leaked archive was discovered on a well‑known criminal forum where the actor, identified by the moniker “PhantomClad,” posted a link to the data alongside a brief summary of the contents.

Technical analysis of the breach reveals that the initial compromise stemmed from a phishing email that harvested credentials for a privileged service account. Using those credentials, the attacker generated a long‑lived PAT with read‑write permissions on Checkmarx’s GitHub Enterprise Cloud organization. The PAT was then used to clone multiple private repositories via the GitHub API, after which the data was compressed and transferred to an external command‑and‑control server before being staged for public release. Forensic logs show the PAT was active for approximately 14 hours before being revoked, and the exfiltrated archive included configuration files, CI/CD scripts, and a subset of customer‑specific API keys.

The exposure of source code and credentials raises significant concerns for Checkmarx’s customers and the broader software supply chain. Among the leaked assets are internal tooling for static application security testing (SAST) and software composition analysis (SCA), which could be repurposed to craft targeted attacks against downstream adopters. Additionally, the exposed PATs and API keys have the potential to grant attackers unauthenticated access to third‑party services integrated with Checkmarx’s platform, leading to possible secondary breaches or data leakage elsewhere.

Checkmarx has notified affected customers, rotated all compromised credentials, and is enforcing mandatory multi‑factor authentication (MFA) across its internal systems. The company is collaborating with law‑enforcement agencies and has engaged a leading threat‑intelligence firm to monitor for misuse of the leaked material. In an advisory, Checkmarx urges users to audit their integrations, revoke any tokens that may have been exposed, and apply the latest security patches to mitigate risks associated with the compromised source code.