Why a Recent Supply Chain Attack Targeted Security Companies Checkmarx and Bitwarden

Checkmarx has reported that a recent data breach appears to have stemmed from its GitHub repositories, with access facilitated by a supply chain attack that occurred on March 23, 2023. While the exact types of data that were compromised remain undisclosed, this incident highlights the vulnerabilities inherent in software development processes.

The repercussions of the Trivy breach extend beyond Checkmarx, impacting other security firms as well. Specifically, Bitwarden, another security company, has been identified as a victim of the same supply chain attack. Socket, a cybersecurity organization, has linked the Bitwarden breach to the ongoing Trivy campaign, citing the use of identical command-and-control endpoints and core infrastructure in both cases.

The attack has been attributed to a group known as TeamPCP, recognized for its proficiency in access-broker operations—hackers adept at stealing and selling access credentials. TeamPCP’s strategy capitalizes on targeting tools that possess privileged access, thus enabling them to exploit vulnerable systems effectively.

In Checkmarx’s scenario, it is believed that TeamPCP sold access credentials to the ransomware collective Lapsu$, a group notorious for its capability to breach large corporations while exhibiting brazen behavior during and after successful attacks. This interaction exemplifies the multifaceted nature of cybersecurity threats, where initial breaches can cascade into broader vulnerabilities.

The incidents surrounding Checkmarx and Bitwarden serve as stark reminders of the potential ripple effects that a single cyber breach can have. As both companies grapple with the fallout, there is an increased risk of subsequent attacks on their clients and partners, threatening further compromises in the ecosystem. Feross Aboukhadijeh, CEO of Socket, emphasized via email that security organizations frequently find themselves in the crosshairs of cyber attackers. This is attributable to their proximity to sensitive information and widespread operational architecture around the Internet.

Aboukhadijeh noted a disturbing trend where security tools are treated as both targets and means to infiltrate other systems. Attackers are leveraging the very instruments designed to safeguard the supply chain to extract credentials, thereby advancing their malicious agenda. This tactic aligns with several MITRE ATT&CK adversary techniques, particularly in the realms of initial access, privilege escalation, and persistence, indicating the strategic complexity of contemporary cyber threats.

As businesses consider their cybersecurity posture, the evolving dynamics of these attacks underscore the necessity for robust defenses and vigilant monitoring. Understanding the mechanisms employed by attackers like TeamPCP can enhance preparedness against potential vulnerabilities and mitigate risks associated with supply chain attacks. The importance of maintaining situational awareness and fostering a culture of security cannot be overstated in today’s threat landscape.

Source

Related Posts

Surge in Brute-Force Attacks on Fortinet SSL VPNs Precedes Focus on FortiManager

August 12, 2025
Threat Intelligence / Enterprise Security

Cybersecurity experts are reporting a significant increase in brute-force traffic directed at Fortinet SSL VPN devices. A coordinated effort, noted by threat intelligence firm GreyNoise, was detected on August 3, 2025, involving over 780 unique IP addresses participating in the attack. In the last 24 hours alone, 56 unique malicious IP addresses have been identified, originating from countries including the United States, Canada, Russia, and the Netherlands.

Targets of this brute-force activity span across the United States, Hong Kong, Brazil, Spain, and Japan. GreyNoise emphasized that the attacks were specifically aimed at their FortiOS profile, indicating a deliberate targeting strategy rather than opportunistic behavior. The firm also reported observing two distinct waves of assaults before and after August 5, with one being a prolonged brute-force attack.

From HealthKick to GOVERSHELL: Tracing the Development of UTA0388’s Espionage Malware

Oct 09, 2025
Cyber Espionage / Artificial Intelligence

A China-aligned threat group referred to as UTA0388 has been linked to a series of spear-phishing campaigns targeting North America, Asia, and Europe, with the intent of deploying a Go-based implant known as GOVERSHELL. According to a report from Volexity, “The initial campaigns were meticulously crafted for specific targets, using messages that appeared to come from senior researchers and analysts at convincingly fake organizations.” The aim of these spear-phishing efforts was to manipulate targets into clicking links leading to a remotely hosted archive containing a malicious payload. Over time, the threat actor has employed various lures and invented identities, utilizing multiple languages, including English, Chinese, Japanese, French, and German. Early versions of these campaigns often included links to phishing content hosted on either cloud services or their own infrastructure.

Google Uncovers Three New Malware Families Linked to Russian COLDRIVER Hackers

October 21, 2025
Cyber Espionage / Threat Intelligence

Google’s Threat Intelligence Group (GTIG) has revealed that the hacking group COLDRIVER, associated with Russia, has introduced a new suite of malware, indicating an intensified operational pace. Since May 2025, the group has shown a knack for rapid development and refinement, unveiling these new malware families just five days after the release of their previously documented LOSTKEYS. While the exact duration of development for the new malware remains unclear, GTIG noted a complete absence of LOSTKEYS activities since its disclosure. The newly identified threats—codenamed NOROBOT, YESROBOT, and MAYBEROBOT—constitute a “collection of related malware families interconnected through a delivery chain,” according to GTIG researcher Wesley Shields in a Monday analysis. These recent attack strategies mark a significant shift from COLDRIVER’s standard operational patterns.

Bearlyfy Targets Russian Companies with Custom GenieLocker Ransomware

Mar 27, 2026
Threat Intelligence / Vulnerability

The pro-Ukrainian group Bearlyfy has carried out over 70 cyber attacks on Russian firms since emerging in January 2025, deploying a custom Windows ransomware strain known as GenieLocker in their latest campaigns. According to Russian security firm F6, “Bearlyfy (also referred to as Labubu) is a dual-purpose group focused on maximizing damage to Russian businesses, aiming for both financial extortion and acts of sabotage.” The group was first identified by F6 in September 2025, noted for using encryptors linked to LockBit 3 (Black) and Babuk, initially targeting smaller companies before escalating to ransom demands around €80,000 (approximately $92,100). By August 2025, Bearlyfy had claimed at least 30 victims. Additionally, starting in May 2025, the group began to use a modified version of PolyVice, a ransomware variant associated with Vice Society.