Checkmarx, a leader in application security testing, has confirmed that a threat actor successfully exfiltrated data from its internal GitHub repositories and posted it on the dark web. This breach stems from a sophisticated supply chain attack initially identified on March 23, 2026. For security practitioners, this incident serves as a critical reminder: even security vendors are susceptible to the very attack vectors they aim to mitigate. The exposure of source code and potentially proprietary internal logic poses a significant risk, not only to Checkmarx but to organizations relying on the integrity of their security tooling supply chain. Immediate action is required to audit access logs and validate the integrity of security tools within your environment.
Technical Analysis
- Affected Products/Platforms: Checkmarx internal GitHub repositories; potential implications for downstream consumers of Checkmarx software updates or dependencies.
- CVE Identifiers: None assigned yet (Active Incident).
- Attack Chain:
- Initial Compromise: Supply chain attack vector (March 23, 2026).
- Lateral Movement/Access: Unauthorized access to internal GitHub repositories.
- Exfiltration: Data extraction and publication on dark web forums.
- Impact: Exposure of intellectual property and potential hardcoded secrets.
- Exploitation Status: Confirmed active exploitation. Data has been verified on the dark web.
The attack leveraged the supply chain to gain a foothold, pivoting to source code management (SCM) infrastructure. While the specific compromise mechanism (e.g., compromised PAT, session hijacking, or malicious dependency injection) is under investigation, the outcome is clear: unauthorized read access to sensitive code repositories.
Detection & Response
Given the confirmed exfiltration of repository data, defenders must hunt for indicators of suspicious Git activity and potential lateral movement involving SCM tools. The following rules focus on detecting anomalous usage of Git executables and API interactions that are often precursors to or indicators of repository exfiltration.
---
title: Suspicious Git Process Execution on Non-Developer Endpoints
id: 8a4b2c1d-9e6f-4a3b-8c7d-1e2f3a4b5c6d
status: experimental
description: Detects execution of git.exe or git binary on systems where it is not typically present or used, indicating potential lateral movement or data staging. Note: Tune exclusions for authorized developer workstations.
references:
- https://attack.mitre.org/techniques/T1213/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.collection
- attack.t1213
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\git.exe'
- '\git.cmd'
# Example: Filter out known developer paths to reduce noise, or flag execution from temp folders
Image|notcontains:
- '\Program Files\Git'
- '\Users\' # Exclude user profiles if dev workstations are in scope, or invert logic for servers
filter_server:
CommandLine|contains: 'clone'
falsepositives:
- Legitimate software updates or deployments
- Developer activities on authorized workstations
level: high
---
title: PowerShell Accessing GitHub API
id: 9b5c3d2e-0f7a-5b4c-9d8e-2f3a4b5c6d7e
status: experimental
description: Detects PowerShell scripts interacting with the GitHub API, which may indicate automated exfiltration or enumeration attempts.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'api.github.com'
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
condition: selection
falsepositives:
- Legitimate DevOps automation scripts
- Package management tools
level: medium
**KQL (Microsoft Sentinel / Defender)**
Hunt for unusual Git process execution and network connections to GitHub domains from non-standard internal IPs.
// Hunt for Git executable usage and network connections
DeviceProcessEvents
| where FileName in~ ("git.exe", "git")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (
DeviceNetworkEvents
| where RemoteUrl contains "github.com"
| project Timestamp, DeviceName, RemoteUrl, RemotePort, LocalIP
) on DeviceName, Timestamp
| where Timestamp > ago(7d)
| summarize count() by DeviceName, AccountName, RemoteUrl
| where count_ > 10 // Threshold for suspicious volume
**Velociraptor VQL**
Hunt for evidence of Git execution and potentially exposed .git configuration files on endpoints.
-- Hunt for Git processes and .git config access
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'git'
-- Hunt for .git directories in unexpected locations (e.g., root or temp)
SELECT FullPath, Size, Mtime
FROM glob(globs="/*/.git/config")
WHERE NOT FullPath =~ "^/home/|^/Users/" // Exclude standard user home directories
**Remediation Script (PowerShell)**
This script aids in the identification of recent Git activity on Windows endpoints, helping to scope the potential breach.
# Audit Script: Check for recent Git process executions
# Run as Administrator to access all event logs if possible, otherwise relies on PS history/Running procs
Write-Host "[+] Checking for currently running Git processes..."
$gitProcesses = Get-Process -Name git -ErrorAction SilentlyContinue
if ($gitProcesses) {
Write-Host "[!] ALERT: Found running Git processes:" -ForegroundColor Red
$gitProcesses | Format-List Id, ProcessName, Path, StartTime
} else {
Write-Host "[-] No running Git processes found." -ForegroundColor Green
}
Write-Host "[+] Checking PowerShell Event Log for GitHub API interactions (Last 24h)..."
try {
$events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104; StartTime=(Get-Date).AddHours(-24)} -ErrorAction Stop
$suspicious = $events | Where-Object { $_.Message -match 'api.github.com' -or $_.Message -match 'git' }
if ($suspicious) {
Write-Host "[!] ALERT: Found suspicious PowerShell script blocks:" -ForegroundColor Red
$suspicious | Select-Object TimeCreated, Id, Message | Format-List
} else {
Write-Host "[-] No suspicious PowerShell blocks found." -ForegroundColor Green
}
} catch {
Write-Host "[-] Could not read PowerShell Operational Log. Ensure logging is enabled."
}
Remediation
- Credential Rotation: Assume that any Personal Access Tokens (PATs), SSH keys, or OAuth tokens stored within the exposed Checkmarx repositories are compromised. Rotate all secrets immediately.
- Audit Logs: Review GitHub Audit Logs and Checkmarx access logs for the period between March 23, 2026, and the present. Look for anomalous IP addresses, unusual
git clone/git pushpatterns, or unauthorized API usage. - Integrity Verification: If your organization utilizes Checkmarx software, verify the integrity of your installations. Compare file hashes against vendor-provided secure values to ensure no malicious code was injected via the supply chain.
- Supply Chain Audit: Inventory all internal and third-party dependencies connecting to Checkmarx services. Restrict access to only necessary IP ranges and enforce MFA for all repository access.
- Official Advisory: Monitor the official Checkmarx security advisory page for specific CVEs or IoCs related to the March 23 attack.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.