Security Firms Checkmarx and Bitwarden Hit by Back-to-Back Supply-Chain Breaches; Ransomware Follows

Breaking: Checkmarx and Bitwarden Targeted in Coordinated Supply-Chain Attacks

Checkmarx, a leading application security firm, has suffered two separate supply-chain attacks in just 40 days, the latest now involving ransomware from fame-seeking hackers. The breaches also ensnared password manager Bitwarden, marking an unprecedented targeting of security vendors.

“This is a highly coordinated campaign aimed at turning security tools against their own users,” said Dr. Laura Chen, a supply-chain security researcher at the nonprofit Cyber Threat Alliance. “Attackers are exploiting trust in security software to steal credentials and deploy ransomware.”

Timeline of Attacks

The first incident occurred on March 19 when attackers compromised the GitHub account of Trivy, a popular open-source vulnerability scanner used by Checkmarx. The intruders pushed malware that searched infected machines for repository tokens, SSH keys, and other credentials.

Just four days later, Checkmarx’s own GitHub account was breached, and malicious code was distributed to the firm’s customers. The company quickly contained the breach and restored legitimate apps—but the damage had already spread.

Then, on May 1, a ransomware attack hit Checkmarx’s internal systems. “This appears to be the same group behind the supply-chain compromise, now seeking fame by targeting a high-profile security vendor,” noted Mark Torres, incident response lead at Vanguard Cyber.

Background: The Growing Threat of Supply-Chain Attacks

Supply-chain attacks target the software development pipeline, allowing hackers to distribute malware through trusted updates. The Trivy breach gave attackers a foothold into numerous security firms, including Checkmarx and Bitwarden.

Bitwarden, a widely used open-source password manager, confirmed that attackers accessed its GitHub repositories but said no customer data was compromised. “We detected anomalous activity on April 2 and immediately rotated all credentials,” a Bitwarden spokesperson told reporters.

Security experts warn that these attacks are part of a rising trend. “Attackers realize that compromising a security vendor gives them indirect access to thousands of organizations,” said Dr. Chen. “It’s a force multiplier.”

What This Means: Urgent Implications for the Cybersecurity Industry

The Checkmarx and Bitwarden incidents underscore that no organization—not even those selling security—is immune. Enterprises must verify the integrity of every software update, especially from security vendors.

“This should be a wake-up call to adopt software bill of materials (SBOMs) and code-signing verification,” urged Mark Torres. “The days of blind trust in security tools are over.”

Checkmarx has not disclosed the ransom demand or whether any customer data was encrypted. The company said it is working with law enforcement and has deployed additional monitoring. Meanwhile, Bitwarden has published a post-incident report detailing its response.

For the broader industry, the attack sequence—supply-chain malware followed by ransomware—may become a common playbook. “We’re seeing a convergence of threat actors who now combine data theft with extortion,” concluded Dr. Chen. “Security firms must assume they are targets and prepare accordingly.”