Security providers Checkmarx and Bitwarden have both fallen victim to a coordinated supply-chain attack originating from vulnerabilities in the Trivy vulnerability scanner, resulting in multiple malware distributions and a subsequent ransomware data leak.
- Checkmarx GitHub and Docker Hub repositories used to deliver malware multiple times.
- Ransomware group Lapsu$ leaked private data acquired during prolonged access.
- Bitwarden’s npm package briefly contained malicious code tied to the same campaign.
What happened
Starting March 19, attackers exploited the Trivy vulnerability scanner’s GitHub account to push malware that harvested sensitive credentials including repository tokens and SSH keys. Checkmarx, a major security firm, was one affected downstream user whose own GitHub account was then hijacked to distribute malware to its users on two occasions. Evidence suggests that attackers maintained prolonged access despite remediation efforts, resulting in recurring infections and subsequent ransomware data theft.
In parallel, Bitwarden, another security company, had a malicious version of their CLI tool published briefly on npm, using the same command and control infrastructure as the Checkmarx attacks. This campaign was orchestrated by TeamPCP, a known access broker group specializing in seizing privileged credentials from critical tools to enable further intrusions, which in Checkmarx’s case facilitated ransomware operations by the Lapsu$ threat group.
Why it matters
These coordinated supply-chain attacks reveal a concerning trend where attackers are compromising security product ecosystems themselves — which are traditionally trusted and widely deployed to detect and prevent threats. By subverting these tools, hackers gain privileged footholds that enable the theft of sensitive corporate secrets and potentially grant access to downstream clients reliant on these security vendors.
With Checkmarx and Bitwarden both targeted, the risk extends beyond the initial victims to their extensive user bases and partners, raising the possibility of further cascading breaches and data compromises. This development underscores the urgent need for hardened software supply chain defenses and continuous monitoring during vulnerability disclosure and patching cycles.
What to watch next
Monitoring the fallout from these attacks will be critical as both companies continue incident response and forensic investigation. Observers should watch for potential new malware variants, further data leaks, or follow-on attacks against customers or downstream users of Checkmarx and Bitwarden security tools. The evolving tactics of access brokers and ransomware groups like TeamPCP and Lapsu$ will also demand ongoing threat intelligence updates.
Additionally, industry-wide efforts to secure software repositories and delivery pipelines must intensify. Organizations relying on security and development tools should reassess their supply chain risk posture and adopt layered protections such as code signing, repository access controls, anomaly detection, and rapid patch deployment to reduce exposure to these complex, multi-stage compromise campaigns.