A recent supply‑chain breach traced back to the March 23, 2023 Trivy attack exposed hidden access to Checkmarx’s GitHub repositories. Checkmarx confirmed that the stolen data entered through that initial compromise, though it stopped short of naming the leaked material. The incident places the security firm at the center of a chain reaction that now reaches other vendors.

Socket, the creator of the Trivy tool, identified Bitwarden as another victim. Both firms share the same command‑and‑control infrastructure, suggesting the attackers used a single payload across multiple targets. Socket’s CEO, Feross Aboukhadijeh, warned that security companies are prime targets because their tools sit close to sensitive data and spread widely across the internet.

The attackers, dubbed TeamPCP, belong to a cadre of access‑broker groups that harvest credentials and sell them to other actors. In this case, TeamPCP allegedly handed Checkmarx credentials to Lapsu$, a teenage‑run ransomware outfit known for high‑profile breaches. This transfer shows how a single compromise can cascade into broader attacks.

With Checkmarx and Bitwarden now compromised, downstream customers and partners face an elevated threat. The breach underscores the risk of relying on security tools that can themselves become vectors for credential theft. Operators must audit supply‑chain security and enforce tighter access controls to prevent similar exploitation.