Apr 30, 2026 · 5 min read
Hackers Spent Two Months Backdooring the Tools Developers Trust Most—LAPSUS$ Just Dumped 96GB of Checkmarx's Code
A threat group called TeamPCP rolled through Trivy, KICS, the Telnyx Python SDK, LiteLLM, and Bitwarden CLI for two months. On April 28, 2026, Checkmarx confirmed 96 gigabytes of its private GitHub data was now on the LAPSUS$ extortion portal. Anyone who built software in March or April should assume their secrets are compromised.
The Two Month Trail
The campaign started in late February 2026, when TeamPCP exploited an incomplete credential rotation inside Aqua Security's Trivy repository. Trivy is one of the most widely used open source vulnerability scanners. By March 19, the attackers had compromised the aqua-bot service account and force pushed malicious code to 76 of 77 version tags in aquasecurity/trivy-action and every tag in aquasecurity/setup-trivy.
Anyone who pinned to those versions started running malware that hunted for cloud credentials, SSH keys, GitHub tokens, npm publish access, and Kubernetes configuration files. It also planted persistent backdoors on developer machines.
That single foothold turned into a list of secondary victims:
- March 23: Malicious code injected into KICS, the static analysis scanner maintained by Checkmarx.
- March 27: A malicious release of the Telnyx Python SDK published to PyPI, carrying a three stage remote access tool that exfiltrated data to attacker controlled servers.
- April 22 (5:57 PM ET to 7:30 PM ET): A trojanized Bitwarden CLI version
2026.4.0appeared on npm with no matching GitHub release. It was pulled in roughly 90 minutes, but 334 developers had already pulled it down. - April 22: Poisoned Docker images and compromised VSCode and Open VSX extensions for the KICS scanner pushed publicly, designed to steal credentials, keys, tokens, and config files from anyone who installed them.
By the time defenders had a clear picture, the attackers had been camping inside Checkmarx's GitHub environment for roughly a month.
The 96GB Leak
On April 25, 2026, LAPSUS$ posted a 96GB archive on its dark web and clearnet portals. Checkmarx confirmed two days later that the data came from one of its private GitHub repositories.
The company says no customer data was stored in the affected repository. What was there is arguably worse for the open source ecosystem: source code, internal CI/CD secrets, and the kind of build pipeline knowledge that makes the next supply chain attack easier to plan.
LAPSUS$ is not the original attacker. According to Palo Alto Networks Unit 42, TeamPCP ran the intrusion, then partnered with the Vect ransomware crew and LAPSUS$ to monetize the stolen material. TeamPCP bragged on BreachForums that they "will pull off even bigger supply chain operations."
Why Security Tools Are the Perfect Target
The pattern is not random. TeamPCP went after a specific class of software:
- Vulnerability scanners (Trivy, KICS)
- Static analysis tools (KICS)
- AI gateways (LiteLLM)
- Communications SDKs (Telnyx)
- Password managers (Bitwarden CLI)
These tools share three properties that make them dream targets. They run with elevated privileges in CI pipelines. They have access to the most sensitive secrets a company owns. And developers are explicitly told to trust them.
Socket's analysis put it bluntly: "Attackers are deliberately targeting the tools developers are told to trust most."
It works because the trust is structural. Most CI configurations pin a security scanner version once and forget it. Most developers do not audit the source of every npm or PyPI release they install. Most package registries do not enforce that an npm release matches a GitHub release. Bitwarden's poisoned CLI sat live for 90 minutes because of that gap.
What This Means for Anyone Who Builds Software
If your CI pipeline used Trivy, KICS, the Telnyx Python SDK, Bitwarden CLI, or LiteLLM in late February through April 2026, assume your build secrets are compromised until you can prove otherwise.
Concrete steps:
- Rotate everything that touched a CI runner. GitHub tokens, cloud credentials, npm publish tokens, SSH keys, Kubernetes service accounts. Pin to known good releases or commit SHAs after rotation.
- Audit your scanner version history. If you use
aquasecurity/trivy-actionoraquasecurity/setup-trivyand you do not pin to a SHA, you ran malicious code. Check Microsoft's detection guidance. - Check npm and PyPI install logs for late February through April. The Bitwarden CLI
2026.4.0and the malicious Telnyx PyPI release should not be in any lockfile. - Stop trusting registry releases without GitHub release matching. Tools like Socket and StepSecurity flag mismatches automatically. Without that, you are relying on luck.
- Treat security scanners as production code. They have production access. They deserve production review.
The Larger Pattern
TeamPCP's campaign is the clearest demonstration yet that the developer toolchain is now its own attack surface. The same trend is showing up everywhere. Hackers hijacked CPU-Z and HWMonitor downloads for six hours in early April. Someone bought 30 WordPress plugins and backdoored all of them for eight months. The Bitwarden CLI was hit again in October's Shai Hulud attack.
The lesson is not that any one tool is bad. It is that the trust model behind modern software is brittle. When the security scanner is the malware vector, "shift left" stops meaning anything.
LAPSUS$ has the data now. TeamPCP says bigger operations are coming. The defenders have a few weeks to harden their pipelines before the next round. Two days later, TeamPCP delivered: the Mini Shai-Hulud worm hit four SAP npm packages and added persistence inside Claude Code and VS Code config files.