On May 22, 2026, the Qilin ransomware group publicly claimed responsibility for a cyberattack against Semgrep, a prominent US-based software security firm best known for its open-source static analysis platform. The group posted Semgrep to its dark web leak site and threatened to release sensitive stolen data unless the company opened negotiations through Qilin's designated channels. The claim was first surfaced through dark web monitoring by DeXpose analysts, who flagged the post within hours of its appearance.
What Happened
Qilin's extortion notice named Semgrep (semgrep.dev) directly, accompanied by the now-standard threat: "The full leak will be published soon, unless a company representative contacts us via the channels provided." The post follows the group's established double-extortion playbook, where data is exfiltrated prior to encryption and used as leverage even when victims can recover from backups. As of publication, Semgrep has not issued a public statement confirming the scope of the intrusion, the systems affected, or whether ransomware payloads were deployed inside the environment. The listing places Semgrep alongside dozens of other software, manufacturing, and healthcare victims that Qilin has named throughout 2025 and into 2026.
What Was Taken
Qilin has not yet published sample files or a full data tree, which is consistent with the group's negotiation-first posture during the initial pressure window. Based on Semgrep's business profile, the data at risk is significant: source code analysis rules, customer telemetry, vulnerability findings from enterprise scans, internal engineering documentation, employee records, and potentially API keys or integration secrets used to connect Semgrep to customer CI/CD pipelines. Any exposure of customer scan results would be particularly damaging, as these datasets effectively map known weaknesses inside Semgrep's clients' codebases.
Why It Matters
Semgrep sits inside the software supply chain. Its product is embedded in the build pipelines of thousands of organizations, including financial services, technology firms, and government contractors. A compromise of a security vendor is materially different from a compromise of a typical enterprise: stolen integration tokens, rule sets, or customer scan data can be weaponized against downstream targets. Qilin, a Russian-speaking ransomware-as-a-service operation active since 2022, has increasingly prioritized high-leverage victims whose breaches generate secondary blast radius. This attack continues a 2026 trend of ransomware groups targeting security tooling vendors to maximize extortion pressure and cascading risk.
The Attack Technique
Initial access vectors have not been disclosed. Qilin affiliates historically rely on phishing for credential theft, exploitation of public-facing applications (including VPN appliances and Citrix systems), and the purchase of access from initial access brokers. Once inside, affiliates typically use Cobalt Strike or Sliver for command-and-control, harvest credentials with Mimikatz, move laterally via RDP and SMB, and stage data with Rclone or MEGA before deploying the Qilin (Agenda) encryptor written in Rust or Go. Customers of Semgrep should assume any shared secrets, OAuth tokens, or SCM integration credentials may be exposed until Semgrep confirms otherwise.
What Organizations Should Do
- Rotate any credentials, API keys, webhooks, and SCM tokens shared with Semgrep or stored in Semgrep integrations until the vendor confirms scope of compromise.
- Audit CI/CD pipeline logs for anomalous activity originating from Semgrep service accounts or integration endpoints over the past 60 days.
- Hunt for known Qilin TTPs in your environment: Rclone exfiltration to MEGA, suspicious PsExec usage, and Cobalt Strike beacon patterns tied to recent Qilin affiliate infrastructure.
- Validate that backups are immutable, offline, and recently tested for restore integrity, since Qilin actively targets backup repositories prior to encryption.
- Enforce phishing-resistant MFA on all administrative and developer accounts, and review conditional access policies for third-party SaaS integrations.
- Engage qualified incident response counsel and threat intelligence partners before any contact with the threat actor, and avoid direct negotiation without legal guidance.
Sources: Qilin Targets Software Firm Semgrep in Ransomware Attack - DeXpose