What's Happening?
Checkmarx has confirmed that a supply chain attack targeting its KICS open source project resulted in data theft. The attack, attributed to the TeamPCP hacking group, involved hijacking GitHub Action version
tags to reference malware. This incident is part of a larger campaign targeting open source software ecosystems for credential and sensitive information theft. The attackers accessed Checkmarx’s GitHub environment using credentials compromised via the Trivy hack on March 23, 2026. Despite efforts to mitigate the attack, including removing malicious packages and rotating credentials, the attackers managed to regain access and publish more malicious code. The breach led to the compromise of the Bitwarden CLI NPM package, a popular open source password management platform. Checkmarx has taken steps to address the breach, including notifying law enforcement, retaining Mandiant for investigation, and enhancing security measures.
Why It's Important?
This incident highlights the vulnerabilities in supply chain security, particularly within open source projects. The breach not only affects Checkmarx but also poses risks to users of the compromised software, such as the Bitwarden CLI NPM package. The attack underscores the need for robust security measures in managing open source projects and the potential consequences of supply chain attacks on the broader software ecosystem. Companies relying on open source software must be vigilant in monitoring for such threats to protect sensitive data and maintain trust with users. The involvement of groups like TeamPCP and Lapsus$ further emphasizes the organized nature of these cyber threats and the importance of coordinated responses to mitigate their impact.
What's Next?
Checkmarx is in the final stages of its investigation and is working to confirm that unauthorized access has been fully contained. The company plans to share further updates as they become available. Meanwhile, the broader software community may need to reassess security protocols and consider additional safeguards to prevent similar incidents. Stakeholders, including developers and users of open source software, may push for more stringent security standards and practices to protect against future supply chain attacks. The incident could also prompt regulatory bodies to examine the security of open source projects more closely, potentially leading to new guidelines or requirements.
