Supply-Chain Attack Targeted Checkmarx and Bitwarden

The past six weeks have been nothing short of a nightmare for security firm Checkmarx. The company has endured at least one supply-chain attack that spread malware to its customers on two separate occasions, and now it’s facing a ransomware attack from a group of hackers notorious for seeking fame.

The trouble began on March 19, when Trivy, a widely used vulnerability scanner, fell victim to a supply-chain attack. The attackers first breached the Trivy GitHub account, then used that access to push malware to Trivy users including Checkmarx. That malware scoured infected machines for repository tokens, SSH keys, and other credentials.

Checkmarx became both a target and a delivery mechanism. Just four days later, on March 23, the company’s own GitHub account was compromised. Attackers began pushing malware directly to Checkmarx users. The security firm responded by containing and remediating the breach, replacing the malicious files with legitimate applications. Or so it thought.

On April 22, Checkmarx’s GitHub account pushed out a fresh wave of malware. This suggests either that the earlier breach was never fully resolved, or that a separate, unidentified hack had occurred. The company again worked to evict the attackers. According to security firm Socket, the official Checkmarx/kics Docker Hub repository also published malicious packages around the same time.

Then came Monday’s disclosure: another chapter in this saga. Checkmarx announced that a ransomware group tracked as Lapsu$ had dumped a cache of private data onto the dark web last week. The stolen material carries a date stamp of March 30. That date implies the attackers maintained their foothold in the GitHub account after Checkmarx discovered the March 23 compromise, and the company’s attempts to expel them ultimately failed.