Checkmarx confirms supply chain attack by TeamPCP and Lapsus$ targeting KICS project
AI-generated from multiple sources. Verify before acting on this reporting.
JERUSALEM — Checkmarx confirmed Tuesday that a coordinated supply chain attack targeting its KICS open source project resulted in the theft of sensitive data, including source code, employee databases, and API keys. The breach involved the hijacking of GitHub Action version tags and the poisoning of software packages to exfiltrate credentials.
The attack was attributed to the TeamPCP hacking group and the Lapsus$ extortion group. Security researchers identified that the attackers compromised the build pipeline for the KICS project, a static code analysis tool, to inject malicious code into legitimate software packages distributed across GitHub, DockerHub, and OpenVSX. The compromised packages were released under version tags that appeared authentic to users.
Checkmarx stated that the intrusion allowed the threat actors to access internal systems and extract proprietary information. The stolen data includes database credentials and API keys that could be used to access additional systems or impersonate legitimate users. The company has since revoked the compromised credentials and secured its development environment.
The incident highlights the growing threat of supply chain attacks, where attackers target software development tools and repositories to compromise downstream users. By poisoning the KICS project, the attackers positioned themselves to potentially impact any organization using the tool for security scanning. The breach occurred on April 29, 2026, and was detected after anomalies in the build process were flagged.
Lapsus$, known for targeting major technology companies, has a history of using social engineering and credential theft to gain access to corporate networks. TeamPCP has been linked to similar supply chain compromises in the past. The collaboration between the two groups suggests a coordinated effort to maximize the impact of the attack.
Checkmarx has notified affected customers and is working with cybersecurity authorities to investigate the scope of the breach. The company is also reviewing its software development lifecycle to prevent future incidents. The attack underscores the importance of securing software supply chains and implementing robust verification processes for open source projects.
Questions remain about the full extent of the data exfiltration and whether the stolen credentials have been used in subsequent attacks. Security experts are monitoring for signs of the compromised API keys being exploited in other systems. The incident is expected to prompt increased scrutiny of open source software security practices across the industry.