Skip to main content
Application Security Standards
Checkmarx Repository Compromise: Seven Days from Publish to ExfiltrationIncident
5 min readFor Compliance Teams

Checkmarx Repository Compromise: Seven Days from Publish to Exfiltration

What Happened

On March 23, 2026, malicious artifacts were published through a compromised Checkmarx GitHub repository. Seven days later, on March 30, attackers exfiltrated data from systems that had consumed these artifacts. The stolen data appeared on the dark web on April 25. Checkmarx engaged Mandiant for forensic investigation and notified law enforcement.

The attack vector was a supply chain compromise—attackers gained access to Checkmarx's repository infrastructure and inserted malicious code into legitimate build artifacts. Organizations that pulled these artifacts during the seven-day window inadvertently installed backdoored code into their development environments.

Timeline

March 23, 2026: Malicious artifacts published to Checkmarx GitHub repository

March 23-30, 2026: Seven-day exposure window during which organizations downloaded compromised artifacts

March 30, 2026: Data exfiltration occurred from affected systems

April 25, 2026: Stolen data published on dark web

Post-incident: Mandiant engaged for forensic investigation; law enforcement notified

The seven-day gap between publication and exfiltration indicates the attackers were strategic. They published, waited for adoption, then activated the exfiltration mechanism. This suggests planning and patience—characteristics of supply chain attacks that make them particularly dangerous.

Which Controls Failed or Were Missing

Repository Access Controls

The attackers gained write access to production repositories, indicating a failure in privileged access management. Your GitHub organization should enforce:

  • Multi-factor authentication for all accounts with write access
  • IP allowlisting for repository modifications
  • Branch protection rules requiring multiple approvals for releases
  • Separate accounts for automated publishing (not shared developer credentials)

Artifact Signing and Verification

If Checkmarx had implemented cryptographic signing for all published artifacts, downstream consumers could have detected the tampering. The absence of signature verification meant organizations had no cryptographic proof of provenance.

Build Reproducibility

A reproducible build process would have allowed Checkmarx to compare the published artifacts against expected outputs. The fact that malicious code was inserted suggests either:

  • Builds were not reproducible
  • No automated comparison was performed between build outputs and published artifacts
  • The compromise occurred after the build but before publication

Egress Monitoring

The March 30 exfiltration should have triggered alerts. Either egress monitoring was insufficient, or alerts were not acted upon quickly enough to prevent data loss. The 26-day gap between exfiltration and dark web publication suggests the data was staged, analyzed, or held for leverage.

Dependency Pinning in Downstream Organizations

Organizations that consumed the malicious artifacts likely used version ranges (e.g., ^1.2.0) rather than pinned versions with checksum verification. This allowed automatic updates to pull compromised code without human review.

What the Relevant Standards Require

NIST 800-53 Rev 5

SR-3 (Supply Chain Controls and Processes): Organizations must employ security and privacy measures to protect against supply chain threats. This includes verifying the integrity and provenance of system components.

SR-4 (Provenance): Document and maintain provenance of system components. For software artifacts, this means maintaining a chain of custody from build to deployment.

SR-6 (Supplier Assessments and Reviews): Even trusted suppliers like Checkmarx require ongoing assessment. Your supply chain risk management program should include monitoring supplier security incidents and adjusting trust levels accordingly.

ISO/IEC 27001:2022

Control 5.19 (Information Security in Supplier Relationships): Define and document information security requirements for supplier relationships. This includes requirements for how suppliers protect your data and notify you of incidents.

Control 8.30 (Outsourced Development): When using third-party development tools or artifacts, implement controls to ensure integrity. This includes verification mechanisms and secure configuration.

PCI DSS v4.0.1

If you process payment card data and use third-party components:

Requirement 6.3.2: Maintain an inventory of bespoke and custom software, and third-party software components. You need to know what you're using before you can verify its integrity.

Requirement 6.3.3: All system components and software are protected from known vulnerabilities by installing applicable security patches/updates. This includes monitoring for security advisories from your suppliers—not just vulnerability databases.

Lessons and Action Items for Your Team

Implement Artifact Verification (This Week)

Add cryptographic verification to your dependency ingestion process:

  1. Pin all dependencies to specific versions with SHA-256 checksums
  2. Use tools like Sigstore or in-toto to verify artifact signatures
  3. Configure your build pipeline to fail if signature verification fails
  4. Document the verification process in your secure development lifecycle

If your language ecosystem doesn't support signing, use subresource integrity checks and maintain a golden repository of vetted artifacts.

Audit Repository Access (This Week)

Review who has write access to your repositories:

  • Remove service accounts that haven't been used in 90 days
  • Enforce MFA on all accounts with merge or publish permissions
  • Implement branch protection requiring two approvals for release branches
  • Enable audit logging and review it monthly

Build a Supplier Incident Response Playbook (This Month)

When a supplier like Checkmarx announces a compromise, you need a process:

  1. Identify which systems consume artifacts from that supplier (requires maintaining an SBOM)
  2. Determine exposure window: when did you pull artifacts?
  3. Isolate potentially affected systems
  4. Verify artifact integrity against known-good checksums
  5. Prepare communication for internal stakeholders and customers

Document this process now, before you need it under pressure.

Implement Egress Monitoring (This Quarter)

The March 30 exfiltration should have been detectable:

  • Baseline normal egress patterns for development environments
  • Alert on large data transfers to unknown destinations
  • Require egress through authenticated proxies
  • Log all outbound connections from systems with access to sensitive data

Create an SBOM for Every Deployment (This Quarter)

You cannot respond to a supply chain incident if you don't know what you're running. Generate a Software Bill of Materials for every production deployment:

  • Use tools like Syft, Trivy, or language-specific SBOM generators
  • Store SBOMs in a searchable repository
  • When a supplier announces a compromise, query your SBOM repository to identify affected deployments in minutes, not days

The seven-day window between publication and exfiltration was enough time to detect the compromise—if the right controls had been in place. Your goal is to shrink that window to zero by verifying before you deploy.

Software Bill of Materials

Topics:Incident

You Might Also Like

Ollama CVE-2026-7482: Memory Leak Hits 300,000 Servers
5 min readFor Compliance Teams

Ollama CVE-2026-7482: Memory Leak Hits 300,000 Servers

What Happened Cyera disclosed a critical heap out-of-bounds read vulnerability in Ollama, a popular open-source framework for running large language models locally. The flaw, tracked as CVE-2026-7482

Read
1.6M Ollama Servers Found Running Without Auth
4 min readFor Security Engineers

1.6M Ollama Servers Found Running Without Auth

What Happened Intruder s security team scanned over 1 million exposed AI services across the public internet, uncovering widespread security failures in AI infrastructure. The scan revealed that 31% o

Read
Five Malicious Rust Crates Steal Secrets from CI/CD
3 min readFor Security Engineers

Five Malicious Rust Crates Steal Secrets from CI/CD

Summary of the Incident Between late February and early March 2026, attackers published five malicious Rust crates to crates.io disguised as time utility libraries. These packages executed code during

Read