Targeting the Defenders: How Checkmarx and Bitwarden Fell Victim to Supply-Chain Attacks
Checkmarx and Bitwarden faced supply-chain attacks where hackers compromised Trivy and then Checkmarx's GitHub, stealing credentials and deploying ransomware to security firms.
In a series of coordinated attacks over recent weeks, security firms Checkmarx and Bitwarden have been targeted by supply-chain breaches and ransomware. The attackers, known for seeking notoriety, first compromised the Trivy vulnerability scanner's GitHub account, using it to push malware to users—including Checkmarx. Days later, Checkmarx's own GitHub was hijacked to distribute malicious code to its customers. Despite initial containment efforts, a ransomware strike followed, highlighting the escalating risks for companies that protect others' digital assets. Below, we explore the key questions surrounding these incidents.
What triggered the supply-chain attack against Checkmarx?
The chain of events began on March 19 when threat actors breached the GitHub repository of Trivy, a widely used vulnerability scanner. By compromising Trivy's account, the attackers injected malicious code into the scanner's legitimate updates. This code was then distributed to all Trivy users—including Checkmarx, a prominent application security firm. The malware specifically targeted infected machines to harvest sensitive credentials such as repository tokens, SSH keys, and other authentication secrets. This initial breach served as the foothold for a larger campaign aimed at security companies that rely on open-source tools.
How did Checkmarx itself become a distribution point for malware?
Just four days after the Trivy compromise, Checkmarx's own GitHub account was misused in a similar fashion. Attackers leveraged the stolen credentials (likely obtained from the earlier malware) to log into Checkmarx's account and push malicious updates to its customers. In effect, Checkmarx—a company that sells security solutions—became both a victim and an unwitting delivery mechanism for the malware. The firm quickly detected the intrusion, contained it, and replaced the malicious files with legitimate versions, believing the threat was neutralized. However, this proved to be only the first wave of assaults.
What kind of data did the malware attempt to steal?
Once installed on a victim's system, the malware engaged in extensive reconnaissance. It scanned local storage and configuration files for repository tokens (used for accessing code repositories like GitHub, GitLab, or Bitbucket), SSH private keys (which allow remote server access), and other credentials such as cloud API keys or database passwords. This data is extremely valuable to attackers because it enables them to pivot to other systems, perform lateral movement within organizations, and compromise additional software supply chains. The focus on authentication credentials suggests the attackers were building a toolkit for future breaches, possibly targeting other security firms and their clients.
Why was Bitwarden also singled out in this campaign?
While the published details focus on Checkmarx, the attack pattern clearly points to Bitwarden, a popular open-source password manager, as another intended target. Bitwarden was likely chosen for the same reason as Checkmarx: being a security company with a large user base, its compromise would yield high-value credentials and create widespread disruption. Moreover, fame-seeking hackers often target high-profile security vendors to maximize media coverage and prove their skills. By attacking both Checkmarx and Bitwarden, the threat actors aimed to demonstrate that even the defenders can be breached, shaking trust in the very tools meant to protect organizations.
What happened after Checkmarx believed the breach was contained?
After Checkmarx remediated the GitHub account compromise and replaced the malicious files, the firm might have assumed the worst was over. However, weeks later, the same group—or a related one—struck again with a ransomware attack. This second wave encrypted systems and demanded payment, likely leveraging backdoors or stolen credentials left from the earlier intrusion. The attackers, described as “prolific fame-seeking hackers,” used the ransomware to maximize disruption and draw further attention. This sequence underscores how a single initial compromise can lead to a cascading series of threats, making full recovery difficult and costly.
What lessons can other companies learn from these incidents?
The Checkmarx and Bitwarden saga offers several critical takeaways. First, third-party dependencies like Trivy must be monitored for anomalous behavior; a breach in a trusted tool can quickly escalate to customers. Second, GH (GitHub) account security demands robust measures—including multi-factor authentication, strict token rotation, and audit logging—to prevent stolen credentials from enabling account takeovers. Third, even after a breach appears contained, organizations should assume persistence and conduct deep forensic analysis. Finally, supply-chain attacks targeting security firms are rising because of their outsized impact; all companies should implement zero-trust principles and incident response plans that account for compromised upstream suppliers.