“Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023,” Checkmarx said Monday. The company didn’t say what kinds of data were leaked.
Checkmarx isn’t the only security company to suffer the aftereffects of the Trivy breach. Socket said that another security firm, Bitwarden, was also hit in the same supply-chain attack. Socket tied the Bitwarden breach to the Trivy campaign because the payload used the same C2 endpoint and core infrastructure as the Checkmarx malware.
The Trivy attack was carried out by a group calling itself TeamPCP. The group is among the most successful access-broker operations, a class of hackers that smashes and grabs credentials from victims and then sells them to other hackers. The key to its ascendency is its targeting of tools that already have privileged access.
In the case of Checkmarx, it appears TeamPCP sold access credentials to Lapsu$, a ransomware group made up mostly of teenagers known as much for its skill in breaching large companies as its taunts and braggadocio once it succeeds.
The incidents demonstrate the cascading effects a single breach can have. With both Checkmarx and Bitwarden affected, it’s possible that there will be new attacks on their customers or partners, and that even more downstream compromises could result from those. Socket CEO Feross Aboukhadijeh said in an email that security organizations are particular targets because of their products’ close proximity to sensitive data and their wide distribution across the Internet.
“You will see this same thread throughout these compromises,” Aboukhadijeh said. “Attackers are treating security tools as both a target and a delivery mechanism. They are attacking the products that are supposed to protect the supply chain, then using those same products to steal credentials and move to the next victim.”