Última hora
BRIncêndio em hotel deixa cinco feridos em Chapecó (SC)DERussland greift Kyjiw mit Marschflugkörpern und Raketen an – Tote und VerletzteFRJérôme Barella, suspect dans le meurtre d'une fillette, visé par une perquisitionFR16 enfants enfermés dans 13 m² survivaient dans la «maison de l’horreur» aux États-UnisGLOBALUEFA Slams FIFA's 'Unprecedented' Decision on Balogun BanCRYPTO-FRRipple obtient une licence européenne pour ses services de paiement cryptoCN全球媒体聚焦|纳米比亚总统访华 经贸合作再提速RUЗахарова: Лондон управляет Киевом в совершении терактовDESkandal um US-Spieler Balogun: Diese WM steht jetzt unter GeneralverdachtINबारुईपुर में नाबालिग लड़की से रेप के बाद हत्या, ममता को 'हाउस अरेस्ट' किए जाने का दावाBRIncêndio em hotel deixa cinco feridos em Chapecó (SC)DERussland greift Kyjiw mit Marschflugkörpern und Raketen an – Tote und VerletzteFRJérôme Barella, suspect dans le meurtre d'une fillette, visé par une perquisitionFR16 enfants enfermés dans 13 m² survivaient dans la «maison de l’horreur» aux États-UnisGLOBALUEFA Slams FIFA's 'Unprecedented' Decision on Balogun BanCRYPTO-FRRipple obtient une licence européenne pour ses services de paiement cryptoCN全球媒体聚焦|纳米比亚总统访华 经贸合作再提速RUЗахарова: Лондон управляет Киевом в совершении терактовDESkandal um US-Spieler Balogun: Diese WM steht jetzt unter GeneralverdachtINबारुईपुर में नाबालिग लड़की से रेप के बाद हत्या, ममता को 'हाउस अरेस्ट' किए जाने का दावा
Newsgather
BackCheckmarx Hit by Supply Chain Attack, Then Ransomware in Cascading Security Breaches
Checkmarx Hit by Supply Chain Attack, Then Ransomware in Cascading Security Breaches
En desarrollo
Ars Technica29.04.2026Tecnología2 dk okumaUnited States

Checkmarx Hit by Supply Chain Attack, Then Ransomware in Cascading Security Breaches

Security vendor compromised through Trivy vulnerability scanner breach, with attackers pushing malware to customers and later leaking data via Lapsu$ ransomware group

En resumen

  • Checkmarx, a security firm, has suffered a devastating series of breaches over 40 days.
  • It was first compromised through a supply-chain attack on the Trivy vulnerability scanner on March 19, with attackers pushing malware that stole credentials.
  • Checkmarx's own GitHub account was then breached on March 23, pushing malware to its users.

Resumen generado por IA

Por qué importa

This article describes a cascading series of security breaches affecting Checkmarx, a security vendor, through a supply chain attack originating from the Trivy vulnerability scanner. The attackers first compromised Trivy's GitHub account to push malware, then used that access to breach Checkmarx. The same attack methodology affected Bitwarden. TeamPCP, an access broker, carried out the initial breach and apparently sold credentials to Lapsu$ ransomware group.

Tamaño de fuente

It has been a bad six weeks for security firm Checmarx. Over the past 40 days, it has been the victim of at least one supply-chain attack that delivered malware to customers on two separate occasions. Now it has been hit by a ransomware attack from prolific fame-seeking hackers. The streak of misfortunes started on March 19, with the supply-chain attack of Trivy, a widely used vulnerability scanner. The attackers behind the breach first breached the Trivy GitHub account and then used their access to push malware to Trivy users, one of which was Checkmarx. The pushed malware scoured infected machines for repository tokens, SSH keys, and other credentials. Both a target and delivery mechanism Four days later, Checkmarx's GitHub account was compromised and began pushing malware to the security firm's users. The company contained and remediated the breach and replaced the malware with the legitimate apps. Or so Checkmarx thought. On April 22, the company's GitHub account pushed a new wave of malware, suggesting either that the previous breach hadn't been fully fixed or that a new, unidentified hack had occurred. The company once again worked to boot the attackers out of the account. According to security firm Socket, the official Checkmarx/kics Docker Hub repo also published malicious packages around the same time. On Monday, Checkmarx disclosed there was another chapter to the saga. The company said that a ransomware group tracked as Lapsu$ last week dumped a tranche of private data onto the dark web. The date stamp of the dumped material was March 30. Based on the date stamp, it appears that the attackers maintained their access to the GitHub account following Checkmarx's March 23 discovery of the compromise, and attempts to drive them out failed. "Current evidence indicates that this data originated from Checkmarx's GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023," Checkmarx said Monday. The company didn't say what kinds of data were leaked. Checkmarx isn't the only security company to suffer the aftereffects of the Trivy breach. Socket said that another security firm, Bitwarden, was also hit in the same supply-chain attack. Socket tied the Bitwarden breach to the Trivy campaign because the payload used the same C2 endpoint and core infrastructure as the Checkmarx malware. The Trivy attack was carried out by a group calling itself TeamPCP. The group is among the most successful access-broker operations, a class of hackers that smashes and grabs credentials from victims and then sells them to other hackers. The key to its ascendency is its targeting of tools that already have privileged access. In the case of Checkmarx, it appears TeamPCP sold access credentials to Lapsu$, a ransomware group made up mostly of teenagers known as much for its skill in breaching large companies as its taunts and braggadocio once it succeeds. The incidents demonstrate the cascading effects a single breach can have. With both Checkmarx and Bitwarden affected, it's possible that there will be new attacks on their customers or partners, and that even more downstream compromises could result from those. Socket CEO Feross Aboukhadijeh said in an email that security organizations are particular targets because of their products' close proximity to sensitive data and their wide distribution across the Internet. "You will see this same thread throughout these compromises," Aboukhadijeh said. "Attackers are treating security tools as both a target and a delivery mechanism. They are attacking the products that are supposed to protect the supply chain, then using those same products to steal credentials and move to the next victim."

Qué observar

Perspectiva de IA — posibilidades, no hechos

  • More companies will be identified as affected by the Trivy supply chain attack

    Muy probable · En semanas

  • Increased regulatory scrutiny of security tool supply chains

    Probable · En meses

Preguntas abiertas

  • What specific data was leaked in the Lapsu$ dump?
  • How did attackers maintain access after Checkmarx's remediation efforts?
  • Were any customer systems actually compromised through the malware pushes?
  • What specific vulnerabilities allowed the initial Trivy breach?

Temas relacionados

This article was originally published by Ars Technica.

Noticias relacionadas

Más sobre este temacheckmarx