Supply Chain Attack Exposes Security Firms: Checkmarx and Bitwarden Affected
In a alarming revelation, Checkmarx has disclosed that a recent data breach can be traced back to their GitHub repositories. As per the company’s statement on Monday, “Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023.” However, the specific types of data compromised remain undisclosed.
Trivy Breach’s Ripple Effects
Checkmarx is not the only player in the security sector grappling with the fallout from the Trivy breach. Another security firm, Bitwarden, has reportedly been impacted as well. Socket, a cybersecurity firm, established a connection between the Bitwarden breach and the Trivy campaign, highlighting that both incidents utilized the same command-and-control (C2) endpoint and core infrastructure as the malware affecting Checkmarx.
In a further breakdown of the incident, Bitwarden revealed that a malicious package was briefly disseminated through the npm delivery path for @bitwarden/cli@2026.4.0. This took place between 5:57 PM and 7:30 PM (ET) on April 22, 2026, underscoring the narrow window of vulnerability.
Who is TeamPCP?
The Trivy attack has been attributed to a hacking group known as TeamPCP. This group is recognized as one of the most effective access-broker operations, excelling in stealing credentials from victims to resell to other malicious actors. What sets TeamPCP apart in the hacking landscape is its focus on tools that already possess privileged access, amplifying their chances of success.
In the case of Checkmarx, the situation escalated when TeamPCP reportedly sold access credentials to Lapsu$, a notorious ransomware group known for its audacity and effectiveness in breaching large organizations. This development highlights the interconnected nature of cybersecurity threats.
Cascading Consequences of Cyber Breaches
The incidents involving Checkmarx and Bitwarden serve as a potent reminder of the cascading effects a single breach can incur. With both companies compromised, there is potential for new attacks targeting their clients and partners, possibly leading to further downstream vulnerabilities.
Feross Aboukhadijeh, CEO of Socket, emphasized this point in an email: “Security organizations are particular targets because of their products’ close proximity to sensitive data and their wide distribution across the Internet.” He elaborated that attackers are increasingly viewing security tools as both targets and delivery mechanisms, exploiting the very systems designed to protect the supply chain.
Aboukhadijeh further stated, “You will see this same thread throughout these compromises. Attackers are attacking the products that are supposed to protect the supply chain, then using those same products to steal credentials and move to the next victim.”
As organizations develop strategies to mitigate supply chain vulnerabilities, these incidents demonstrate the critical need for enhanced security protocols and the importance of ongoing vigilance in an increasingly complex digital landscape.
For an in-depth analysis, visit the full article Here.
Image Credit: arstechnica.com
