Cybersecurity firm Checkmarx has confirmed that hackers stole data during a supply chain attack that began March 23, 2026. The breach, traced to the Trivy supply chain hack, allowed the TeamPCP group — potentially partnered with the Lapsus$ extortion gang — to hijack GitHub Actions and poison multiple open source packages. A second attack wave on April 22 compromised a DockerHub image and even the Bitwarden CLI NPM package. Lapsus$ later dumped a 96GB archive online, claiming it contained source code, employee data, and credentials. Checkmarx has since hired Mandiant, notified law enforcement, and says the breach is now fully contained.
Source: SecurityWeek