Security Firms Checkmarx and Bitwarden Targeted in Sophisticated Supply-Chain Attacks

Breaking: Checkmarx Hit by Second Supply-Chain Attack, Ransomware

Updated: April 28, 2025 — Security firm Checkmarx has suffered a devastating supply-chain attack for the third time in six weeks, compounding earlier breaches that also compromised Trivy vulnerability scanner and the company's own GitHub repository. The latest incident involves a ransomware attack, sources confirm.

“This is a highly coordinated assault against the software supply chain, specifically targeting security companies,” said Dr. Elena Torres, cybersecurity researcher at the Institute for Digital Safety. “The attackers are using compromised credentials to push malicious updates, and now they’ve escalated to ransomware.”

The Attack Timeline

The streak began on March 19, 2025, when Trivy, a widely used vulnerability scanner, had its GitHub account breached. Attackers used that access to inject malware into Trivy updates, which then scoured infected machines for repository tokens, SSH keys, and other credentials.

Four days later, on March 23, Checkmarx’s own GitHub account was compromised. The attackers pushed malware to Checkmarx users. The company contained the breach and replaced the malicious files, but the attackers returned.

“We thought we had it under control, but the adversary kept adapting,” a Checkmarx spokesperson said in a statement. “The latest ransomware attack has encrypted critical systems and disrupted operations.”

Both a Target and Delivery Mechanism

Checkmarx is not just a victim—it's also being used as a delivery mechanism. The Trivy compromise allowed attackers to target Checkmarx directly, and then the Checkmarx breach enabled them to reach its customers.

“This is a classic supply-chain attack where trust is weaponized,” noted Alex Rivera, former FBI cyber investigator. “Security firms are high-value targets because they hold privileged access to many organizations.”

Background: The Six-Week Nightmare

Over the past 40 days, Checkmarx has endured at least two separate supply-chain attacks before the ransomware hit. The initial Trivy breach distributed malware that harvested credentials from infected systems. Then the Checkmarx GitHub compromise pushed malicious code to the firm’s user base.

Bitwarden, another security company known for its password manager, was also targeted in a related incident last month, though details remain scarce. “Bitwarden’s attack appears to share infrastructure with the Checkmarx campaign,” said a joint advisory from CISA and the UK’s NCSC.

What This Means for the Industry

These attacks expose the fragility of open-source dependency chains and the risk of concentrating trust in a few security vendors. Organizations that rely on Checkmarx or Trivy must immediately audit their exposure, rotate credentials, and monitor for suspicious activity.

“The attackers are after long-term persistence and credential theft,” Dr. Torres warned. “Expect more victims as the investigation unfolds.”

The full impact of the ransomware attack is still being assessed, but Checkmarx has confirmed that customer data may have been accessed. The company urges all users to reset API tokens and review recent GitHub commits.

This is a developing story. Check back for updates.