It has been a bad six weeks for security firm Checkmarx. Over the past 40 days, it has been the victim of at least one supply-chain attack that delivered malware to customers on two separate occasions. Now it has been hit by a ransomware attack from prolific fame-seeking hackers.
The streak of misfortunes started on March 19 with the supply-chain attack of Trivy, a widely used vulnerability scanner. The attackers behind the breach first breached the Trivy GitHub account and then used their access to push malware to Trivy users, one of which was Checkmarx. The pushed malware scoured infected machines for repository tokens, SSH keys, and other credentials.
Both a target and delivery mechanism
Four days later, Checkmarx’s GitHub account was compromised and began pushing malware to the security firm’s users. The company contained and remediated the breach and replaced the malware with the legitimate apps. Or so Checkmarx thought.
On April 22, the company’s GitHub account pushed a new wave of malware, suggesting either that the previous breach hadn’t been fully fixed or that a new, unidentified hack had occurred. The company once again worked to boot the attackers out of the account. According to security firm Socket, the official Checkmarx/kics Docker Hub repo also published malicious packages around the same time.
On Monday, Checkmarx disclosed there was another chapter to the saga. The company said that a ransomware group tracked as Lapsu$ last week dumped a tranche of private data onto the dark web. The date stamp of the dumped material was March 30. Based on the date stamp, it appears that the attackers maintained their access to the GitHub account following Checkmarx’s March 23 discovery of the compromise, and attempts to drive them out failed.
“Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023,” Checkmarx said Monday. The company didn’t say what kinds of data were leaked.
Checkmarx isn’t the only security company to suffer the aftereffects of the Trivy breach. Socket said that another security firm, Bitwarden, was also hit in the same supply-chain attack. Socket tied the Bitwarden breach to the Trivy campaign because the payload used the same C2 endpoint and core infrastructure as the Checkmarx malware.
Bitwarden said that a malicious package “was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026.”
The Trivy attack was carried out by a group calling itself TeamPCP. The group is among the most successful access-broker operations, a class of hackers that smashes and grabs credentials from victims and then sells them to other hackers. The key to its ascendency is its targeting of tools that already have privileged access.
In the case of Checkmarx, it appears TeamPCP sold access credentials to Lapsu$, a ransomware group made up mostly of teenagers known as much for its skill in breaching large companies as it is for its taunts and braggadocio once it succeeds.
The incidents demonstrate the cascading effects a single breach can have. With both Checkmarx and Bitwarden affected, it’s possible that there will be new attacks on their customers or partners and that even more downstream compromises could result from those. Socket CEO Feross Aboukhadijeh said in an email that security organizations are particular targets because of their products’ close proximity to sensitive data and their wide distribution across the Internet.
“You will see this same thread throughout these compromises,” Aboukhadijeh said. “Attackers are treating security tools as both a target and a delivery mechanism. They are attacking the products that are supposed to protect the supply chain, then using those same products to steal credentials and move to the next victim.”
