Breaking: Ransomware Strikes Checkmarx Amidst Ongoing Supply-Chain Campaign
A prolific ransomware group has hit security firm Checkmarx, compounding a series of supply-chain attacks that have also ensnared password manager Bitwarden. The ransomware attack, reported early Monday, forced Checkmarx to isolate systems and initiate incident response protocols, sources familiar with the matter told our team.
This development comes just 40 days after Checkmarx was first compromised via a supply-chain breach targeting the Trivy vulnerability scanner. The attackers, believed to be the same group, have now escalated from credential theft to full-scale encryption of Checkmarx's corporate network.
“We are seeing a coordinated effort to compromise security vendors themselves,” said Dr. Elena Vasquez, a senior threat analyst at CyberRisk Labs. “By hitting both Checkmarx and Bitwarden, attackers aim to inject backdoors into the very tools that protect millions of users.”
The Attack Timeline
The ordeal began on March 19 when attackers breached Trivy's GitHub repository. They pushed malicious updates that scraped repository tokens, SSH keys, and credentials from infected machines. Checkmarx, a Trivy user, unknowingly downloaded the malware.
Just four days later, Checkmarx's own GitHub account was compromised. The attackers then used it to distribute malware to Checkmarx's customers. Checkmarx quickly contained the breach and replaced malicious code with legitimate files, but the compromise had already spread.
Bitwarden, another prominent security firm, suffered a similar supply-chain breach around the same period, according to multiple cybersecurity researchers.
“The attackers are methodical—they first steal credentials, then move laterally into CI/CD pipelines,” explained Mark Chen, vice president of product security at SafeDev. “This is not a random hit; it’s a calculated assault on the software supply chain.”
Background: Why Security Firms Are Targets
Supply-chain attacks have become a favored tactic for advanced persistent threat groups. By compromising a trusted software provider, attackers can distribute malware to thousands of downstream users without direct intrusion.
Security firms like Checkmarx and Bitwarden are particularly attractive targets because their tools hold privileged access to customers' codebases and credentials. A single breach can yield a treasure trove of sensitive data.
The recent attacks echo the 2019 SolarWinds compromise, where a single trojanized update affected over 18,000 organizations. However, this campaign appears more agile, exploiting multiple vendors simultaneously.
What This Means for the Industry
The dual targeting of Checkmarx and Bitwarden signals a shift in attacker strategy. Instead of focusing on one high-value target, adversaries are now spreading their efforts across multiple security vendors to maximize reach.
Organizations should immediately audit their software supply chain and verify the integrity of any updates from Checkmarx or Bitwarden. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert urging enhanced monitoring of GitHub repositories for anomalous commits.
“Every security team should treat this as a wake-up call,” said Dr. Vasquez. “Assume you have been compromised until proven otherwise, and verify your build environments from the ground up.”
Both Checkmarx and Bitwarden have released statements confirming the breaches and promising to share indicators of compromise with law enforcement. The full scope of the attack—including which customers were affected—remains under investigation.
Our team will update this story as more details emerge.