"Attackers are deliberately targeting the tools developers are told to trust most: security scanners, password managers, and other high-privilege software wired directly into developer environments," Socket CEO Feross Aboukhadijeh told The Register.
Checkmarx confirms GitHub repo exposure after Lapsus$ claim
Checkmarx said investigators are still working to "verify the nature and scope" of data posted online, but current evidence suggests "this data originated from Checkmarx's GitHub repository, and that access to that repository was facilitated through the initial supply chain attack of March 23, 2026." The vendor locked down access to the affected repository and said it will notify "all relevant parties immediately" if the investigation determines customer information was posted publicly. The Lapsus$ extortion group added Checkmarx to its leak site and, via a post shared on X by Dark Web Informer, claimed to have dumped source code, API keys, MongoDB and MySQL login credentials, and employee details.
How the campaign began: Trivy, late February and March 16
The operation traces back to Trivy, an open source vulnerability scanner maintained by Aqua Security. According to the reporting, TeamPCP first compromised Trivy in late February. On March 16, TeamPCP injected credential‑stealing malware into the scanner, harvesting developers' secrets, cloud credentials, SSH keys, and Kubernetes configuration files and planting persistent backdoors on developers' machines. That compromise yielded CI/CD secrets TeamPCP then used on March 23 as an initial access vector into other projects and vendors.
Poisoned KICS images, GitHub Actions and Open VSX plugins
On March 23 attackers injected the same credential‑stealing malware into KICS, the open source static analysis tool maintained by Checkmarx, and pushed poisoned images to the official checkmarx/kics Docker Hub repository. Socket's researchers found the bundled KICS binary had been modified "to include data collection and exfiltration capabilities not present in the legitimate version." Their analysis reported that the trojanized binary could generate an uncensored scan report, encrypt it, and send it to an external endpoint — a serious risk because KICS is used to scan infrastructure‑as‑code that may itself contain credentials or sensitive configuration data.
Checkmarx's initial advisory said the March 23 supply chain incident also affected two Open VSX plugins and two GitHub Actions workflows, expanding the range of developer tooling touched by the compromise.
Bitwarden CLI compromise and the widened blast radius
Socket researchers later disclosed that the open source Bitwarden CLI was also compromised as part of the Checkmarx intrusion. The reporting notes Bitwarden is used by more than 10 million users and over 50,000 businesses and that Bitwarden claims to be the "No. 2 enterprise password manager." Socket CEO Feross Aboukhadijeh framed the danger: when an attacker compromises tools like security scanners and password managers, "you are potentially gaining access to GitHub tokens, cloud credentials, CI secrets, npm publish access, and the downstream environments those tools touch." That comment underscores how a single compromise of a highly trusted tool can propagate access across many projects and environments.
TeamPCP, Lapsus$, Vect and the campaign's ambitions
After the initial Trivy compromise, TeamPCP moved through a sequence of open source projects — including LiteLLM, Telnyx and KICS — chaining access across developer ecosystems. The group then partnered with ransomware and extortion actors, including Vect and Lapsus$, and boasted on BreachForums that "we will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns." In early April, AI training firm Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply‑chain attack after Lapsus$ offered 4 TB of data, including 939 GB of Mercor source code, for sale.
What this means for technologists, procurement leaders, and adversaries
- Technologists and security teams: The attackers targeted tools that run inside developer environments and are often over‑privileged. Teams will watch for signs of persistent backdoors, stolen CI/CD secrets, and poisoned binaries after the Trivy injection and the March 23 activity against KICS and Checkmarx tooling.
- Affected enterprises and procurement leaders: The incident demonstrates that downstream impact can cascade from open source scanners and plugins into thousands of cloud environments. Enterprises should expect disclosure timelines and possible notifications from vendors — Checkmarx has said it will notify relevant parties if customer data is exposed and promised a "more detailed update within 24 hours."
- Adversaries and criminal partners: The campaign shows a deliberate strategy to weaponize trust in security tooling by chaining compromises across projects and then monetizing access through extortion and ransomware partnerships, as TeamPCP described on BreachForums.
This episode is not a single breach but a ripple across the software supply chain: a March 16 compromise of Trivy that supplied CI/CD secrets used on March 23 to poison KICS and other tooling, followed by claimed data dumps and extortion attempts involving Lapsus$ and partners. Checkmarx's investigation is active and many questions remain about the extent of exposed customer data and the attack's downstream consequences — answers the vendor has promised to provide in a more detailed update.
