Checkmarx confirmed Tuesday that hackers stole source code, employee databases, and API credentials during a March supply chain attack on its KICS open source project. The breach, attributed to the TeamPCP hacking group, also compromised the popular Bitwarden CLI NPM package and dozens of GitHub Action version tags.
According to Checkmarx’s disclosure, the attackers initially gained access through the Trivy supply chain attack on March 23, 2026, then used compromised credentials to access the company’s GitHub repositories. The Lapsus$ extortion group added Checkmarx to its leak site over the weekend, claiming theft of MongoDB and MySQL credentials alongside the source code and employee data.
Timeline of the Multi-Stage Attack
The compromise unfolded in three distinct phases over five weeks. TeamPCP first exploited vulnerabilities in the Trivy security scanner to gain initial access to Checkmarx’s development environment on March 23.
Despite Checkmarx removing malicious packages and rotating credentials after the initial breach, the attackers either retained or regained access. On April 22, they published a second wave of malicious code by poisoning a DockerHub KICS image, a GitHub action, a VS Code extension, and a Developer Assist extension.
The final phase compromised the Bitwarden command-line interface NPM package, one of the most widely-used open source password management tools. This escalation demonstrates how supply chain attacks can cascade across multiple software ecosystems.
TeamPCP’s Broader Campaign Targets
The Checkmarx breach represents just one component of TeamPCP’s extensive supply chain campaign targeting multiple open source software ecosystems. Security researchers have linked the group to attacks on numerous GitHub repositories and package managers throughout 2026.
Messages posted by TeamPCP and Lapsus$ around the time of the Checkmarx compromise suggest the two threat actors may have partnered for monetization purposes. This collaboration could explain the sophisticated multi-stage nature of the attack and the eventual data leak on Lapsus$’s Tor-based site.
The attackers used compromised credentials to hijack dozens of GitHub Action version tags, allowing them to reference malware without making visible changes to the affected repositories. This technique makes detection significantly more difficult for security teams monitoring code repositories.
Healthcare Sector Faces Massive Ransomware Breach
Separately, South Carolina healthcare provider Sandhills Medical Foundation disclosed a ransomware attack affecting nearly 170,000 patients. The organization discovered the breach on May 8, 2025, but only publicly disclosed the incident nearly one year later.
According to Sandhills Medical’s notice, the Inc Ransom group obtained personal information including Social Security numbers, driver’s licenses, financial data, and protected health information. The ransomware operators listed Sandhills Medical on their leak website in June 2025 and have since made stolen files available for download.
The delayed disclosure timeline highlights ongoing challenges in healthcare cybersecurity incident response. The Maine Attorney General’s Office confirmed that 170,000 individuals were affected, making this one of the larger healthcare breaches disclosed in recent months.
Ransomware Groups Turn on Each Other
In an unusual development, two newer ransomware-as-a-service operations, 0APT and KryBit, have been attacking each other’s infrastructure. The Halcyon Ransomware Research Center reported that this infighting has exposed operational data from both groups, potentially benefiting defenders.
0APT emerged in late January with a fabricated list of nearly 200 victims before going quiet for months. The group reemerged in mid-April, claiming ransomware attacks against established operators including KryBit, Everest, and RansomHouse.
KryBit launched in late March with RaaS kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate model. The group published 10 legitimate victims in its first two weeks before becoming embroiled in the feud with 0APT.
Cybersecurity Experts Sentenced for BlackCat Scheme
Two US cybersecurity professionals received four-year prison sentences for participating in BlackCat ransomware attacks while working as ransomware negotiators. Ryan Goldberg of Georgia and Kevin Martin of Texas pleaded guilty to conspiracy charges, while a third participant, Angelo Martino of Florida, awaits sentencing scheduled for July 9.
Court documents show the trio received approximately $1.2 million from one victim, keeping 80% of ransom payments while paying 20% to BlackCat administrators. The case highlights the risk of insider threats within the cybersecurity industry.
BlackCat targeted more than 1,000 organizations between November 2021 and December 2023 before authorities disrupted the operation. The US government continues offering a $10 million reward for information on key BlackCat members.
Critical Flaw Turns Vect Ransomware Into Wiper
The Vect 2.0 ransomware contains a critical design flaw that causes it to permanently destroy files larger than 128KB instead of encrypting them. Check Point Software researchers discovered the bug affects Windows, Linux, and VMware ESXi variants.
The flaw exists in Vect’s ChaCha20-IETF encryption scheme, which generates four random nonces for large files but only saves the final nonce to disk. This makes decryption impossible for the first three chunks of any file above 131,072 bytes, effectively turning the ransomware into a destructive wiper.
Vect has been deployed against victims of TeamPCP supply chain attacks, but the encryption flaw complicates ransom payment scenarios since file recovery becomes impossible regardless of payment.
What This Means
These incidents underscore the evolving complexity of cyber threats across multiple attack vectors. Supply chain attacks like the Checkmarx breach demonstrate how a single compromise can cascade across entire software ecosystems, affecting downstream users and customers.
The healthcare sector remains particularly vulnerable, with the Sandhills Medical breach highlighting persistent challenges in timely incident disclosure and response. The nearly year-long delay between discovery and public notification raises questions about regulatory enforcement and patient notification requirements.
The infighting between ransomware groups and the sentencing of insider threats suggest some instability within cybercriminal operations. However, the technical sophistication of attacks continues advancing, as seen in TeamPCP’s multi-stage campaign and the unintended destructive capabilities of flawed ransomware variants.
FAQ
How did TeamPCP compromise Checkmarx’s systems?
TeamPCP initially exploited vulnerabilities in the Trivy security scanner to gain access to Checkmarx’s GitHub environment on March 23, 2026. They then used compromised credentials to access repositories and poison multiple software packages across three separate attack phases.
Why did Sandhills Medical wait nearly a year to disclose the breach?
Sandhills Medical discovered the ransomware attack on May 8, 2025, but spent nearly a year investigating with law enforcement and cybersecurity experts before publicly disclosing the incident. This timeline appears to exceed typical breach notification requirements in most states.
What makes the Vect 2.0 ransomware particularly dangerous?
Vect 2.0 contains a critical encryption flaw that permanently destroys files larger than 128KB instead of encrypting them. This makes the malware function as a wiper rather than traditional ransomware, making file recovery impossible even if victims pay the ransom demand.
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
- Two US Security Experts Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
- Checkmarx Confirms Data Stolen in Supply Chain Attack – SecurityWeek
