Ju.putty PDocsCybersecurity
Related
March 2026 Patch Tuesday: Microsoft Addresses 77 Vulnerabilities Without Zero-Day Exploits10 Critical Insights into How Attackers Exploit AI Vision Models with Tiny Image ChangesUrgent Kernel Update Patches Critical CVE-2026-46333 Vulnerability – Exploit Already AvailableBuilding a Three-Axis Camera Slider with Repurposed 3D Printer ComponentsA Step-by-Step Guide to Meta's Enhanced End-to-End Encrypted Backup Infrastructure10 Essential Facts About Ghost in the Shell: The Cyberpunk MasterpieceLearning from Two Decades of Cybersecurity Catastrophes: A Guide to Avoiding the Same MistakesEnsuring Your Messaging Backups Are Truly Private: A Step-by-Step Guide to Meta’s Enhanced Encryption

How Cybercriminals Exploited Checkmarx and Bitwarden: A Step-by-Step Breakdown of the Supply-Chain Attack

Last updated: 2026-05-02 09:22:32 · Cybersecurity

Introduction

In early 2025, a sophisticated supply-chain attack targeted two major security firms—Checkmarx and Bitwarden—by first compromising a widely used vulnerability scanner called Trivy. Over the course of 40 days, attackers leveraged initial access to push malware to downstream users, eventually gaining control of Checkmarx's GitHub account and deploying ransomware. This guide breaks down the exact steps the attackers took, from the initial breach to the final payload. Understanding this sequence helps security teams build defenses against similar threats.

How Cybercriminals Exploited Checkmarx and Bitwarden: A Step-by-Step Breakdown of the Supply-Chain Attack
Source: feeds.arstechnica.com

What You Need

  • Basic understanding of software supply chains and CI/CD pipelines
  • Familiarity with GitHub repositories and token management
  • Knowledge of malware analysis (optional but helpful)
  • A test environment to simulate attack vectors (recommended)

Step-by-Step Attack Sequence

Step 1: Breach the Trivy GitHub Account

The attackers began by compromising the official GitHub account of Trivy, an open-source vulnerability scanner maintained by Aqua Security. They likely used stolen credentials, session tokens, or a supply-chain attack against Trivy's own dependencies. Once inside, they gained full write access to the repository.

Step 2: Inject Malware into Trivy Releases

Using their elevated access, the attackers pushed malicious code into the Trivy repository. This malware was embedded in release artifacts and configured to execute during installation or runtime. The payload had two primary functions: scour infected machines for sensitive credentials (repository tokens, SSH keys, etc.) and establish a backdoor for remote control.

Step 3: Wait for Downstream Victims to Update

Because Trivy is widely used by security firms and DevOps teams, the infected version was downloaded and run by numerous organizations. Checkmarx was one such victim. When their systems executed the malicious Trivy binary, it exfiltrated GitHub tokens and SSH keys—including those belonging to Checkmarx’s own GitHub account.

Step 4: Use Stolen Credentials to Compromise Checkmarx’s GitHub

Armed with Checkmarx’s credentials, the attackers logged into the company’s GitHub account on March 23. They then pushed malware directly to Checkmarx’s repositories, targeting the company’s own customers. This made Checkmarx both a victim and an unwitting distribution channel for the same attack.

How Cybercriminals Exploited Checkmarx and Bitwarden: A Step-by-Step Breakdown of the Supply-Chain Attack
Source: feeds.arstechnica.com

Step 5: Deploy Ransomware to Checkmarx’s Systems

After seizing control of the GitHub account, the attackers moved laterally within Checkmarx’s internal network. On a separate occasion (about 40 days from the initial breach), they deployed ransomware—a clear escalation from stealthy data theft to destructive extortion. The ransomware encrypted critical servers and databases, demanding payment in cryptocurrency.

Step 6: Target Bitwarden via Similar TTPs

Simultaneously, the attackers applied the same playbook against Bitwarden, a popular password manager. Although fewer details are public, evidence suggests they reused the stolen Trivy credentials or leveraged similar vulnerabilities in Bitwarden’s development pipeline. The goal was to poison Bitwarden’s updates and steal encryption keys or user secrets.

Conclusion & Tips for Defense

This attack shows how a single compromised dependency can cascade into a major breach of multiple security firms. To protect against similar supply-chain attacks:

  • Harden GitHub access: Use branch protection rules, enforce MFA for all repository admins, and rotate tokens frequently.
  • Audit third-party dependencies: Regularly scan your software supply chain using trusted but isolated tools (e.g., run Trivy in a sandbox).
  • Implement credential hygiene: Never store long-lived tokens in code; use short-lived secrets managers instead.
  • Monitor for anomalous releases: Alert on unexpected changes to release tags or hashes.
  • Plan incident response for supply-chain breaches: Have a runbook that includes revoking all tokens and rebuilding from trusted upstream sources.

By understanding the attacker’s steps, your organization can build proactive defenses and respond faster when the next supply-chain attack hits.

See Also

External Resources

Unpacking WhatsApp's Liquid Glass Redesign: What's Coming to Chat Screens?Embedding Accessibility in Your Design Workflow: A Step-by-Step GuideExploring CSS Color Palettes Beyond Tailwind: A Q&A Guide5 Essential Things to Know About HashiCorp Vault's New AI Agent Security CapabilitiesOptimizing Go Performance: Shifting Allocations from Heap to Stack