Supply Chain Attack Trojans Checkmarx Artifacts and Bitwarden CLI Package
A supply chain attack compromised multiple Checkmarx distribution channels, including KICS Docker images, the Checkmarx VS Code extension, and the ast-github-action GitHub Action, with the malicious artifacts built to collect, encrypt, and exfiltrate secrets from affected environments. Reporting linked the activity to TeamPCP, which publicly claimed responsibility, and described the campaign as distinct from an earlier March incident involving Checkmarx.
The activity later expanded to the Bitwarden CLI ecosystem, where a malicious version of the npm package @bitwarden/cli was briefly published. The trojanized VS Code extensions were also reported to target npm tokens, raising the risk of follow-on supply chain compromise, while some malicious Docker images were removed by about 18:20 UTC on April 22; however, the compromised extensions reportedly remained available on OpenVSX into April 23.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Malicious Checkmarx extensions remain available on OpenVSX
As of 00:00 UTC on April 23, the malicious Checkmarx extensions reportedly remained available on OpenVSX. This indicated that not all compromised distribution channels had been remediated at that time.
Malicious activity expands to Bitwarden CLI npm package
On April 23, the campaign expanded beyond Checkmarx to include the Bitwarden CLI npm package, where a malicious version of @bitwarden/cli was temporarily published. The malicious artifacts in the broader campaign were designed to gather, encrypt, and exfiltrate secrets.
Malicious Checkmarx Docker images removed
Some of the malicious Checkmarx Docker images were removed by approximately 18:20 UTC. The removal occurred while other malicious artifacts from the same campaign were still being tracked.
Checkmarx distribution channels compromised in supply-chain attack
A supply-chain attack compromised multiple Checkmarx distribution channels, including KICS Docker images, the Checkmarx VS Code extension, and the ast-github-action GitHub Action. Wiz described this incident as separate from a prior March 23, 2026 case, and TeamPCP publicly claimed responsibility.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TeamPCP Supply-Chain Attacks Poisoned Trivy, KICS, LiteLLM, Telnyx, and Bitwarden
A broad software supply-chain campaign attributed to **TeamPCP** compromised trusted developer and security tools, beginning with a poisoned **Trivy GitHub Action** after attackers allegedly stole a personal access token via a misconfigured `pull_request_target` workflow. Researchers said malicious commits were pushed to most Trivy action tags, allowing the attackers to steal CI/CD secrets, cloud credentials, SSH keys, Kubernetes configuration, and other sensitive data from downstream users. The campaign then spread through stolen credentials to additional projects, including **Checkmarx KICS**, **LiteLLM** versions `1.82.7` and `1.82.8` on PyPI, the **Telnyx SDK**, and later **Bitwarden CLI**, with malware exfiltrating data to attacker-controlled infrastructure such as `checkmarx[.]zone` and `models[.]litellm[.]cloud`. Reporting also tied the operation to hundreds of compromised systems and large-scale theft of `.env` files and secrets from cloud, AI, payment, database, and messaging environments. The fallout expanded beyond package poisoning into downstream intrusions and data leaks. **Checkmarx** confirmed that data later leaked by **LAPSUS$** came from its private GitHub repository and said the initial access was likely enabled by credentials exposed in the Trivy-related compromise; researchers also linked the broader campaign to **Bitwarden** through shared malware and command-and-control patterns. Malicious KICS Docker images, GitHub Actions, and editor extensions were reported to steal credentials and scan results, while Bitwarden’s CI/CD workflow was allegedly abused to expose an npm token and publish a tainted `@bitwarden/cli` release. Security researchers and vendors warned that the campaign shows how attackers are increasingly targeting open-source maintainers and security tooling as high-leverage entry points, with reported ties to extortion and ransomware groups including **LAPSUS$** and **Vect** raising the risk that stolen access will be resold or used for follow-on attacks.
Jun 10, 2026
Malicious Bitwarden CLI npm Package Stole Secrets in Supply-Chain Breach
Bitwarden confirmed that attackers briefly distributed a malicious `@bitwarden/cli` package, version `2026.4.0`, through npm after compromising the CLI release process. The trojanized package was available for roughly 90 minutes on April 22 and was downloaded by a limited number of users before being removed. Bitwarden said the incident was confined to the npm-distributed command-line tool and did not affect its main password manager, customer vault data, production systems, or production data. The company revoked compromised access, deprecated the release, and directed affected users to remove the package, clear npm cache, rotate exposed secrets, and upgrade to `2026.4.1` or use trusted signed binaries. Security researchers linked the breach to a wider software supply-chain campaign tied to compromised Checkmarx infrastructure and CI/CD workflows, including abuse of GitHub Actions trusted publishing. Analyses said the payload harvested GitHub and npm tokens, SSH keys, cloud credentials, environment variables, shell history, and cryptocurrency wallet files such as MetaMask, Phantom, and Solana data, making the incident especially dangerous for organizations using Bitwarden CLI in automated pipelines. Researchers also reported worm-like propagation, encrypted exfiltration to `audit.checkmarx.cx`, fallback GitHub-based command-and-control, memory scraping on self-hosted runners, and attempts to poison AI coding assistants by appending hidden text to shell startup files.
May 25, 2026
Checkmarx KICS Supply Chain Attack Spread Across GitHub Action and Docker Images
The Checkmarx **KICS** ecosystem was hit by a supply chain compromise that first affected the official GitHub Action and later appeared in official Docker Hub artifacts. Wiz reported that attackers repointed 35 KICS GitHub Action tags to malicious commits during a roughly four-hour window, delivering credential-stealing malware to users pinned to affected versions. The activity was linked with high confidence to **TeamPCP**, the actor previously tied to the Trivy GitHub Action compromise, based on shared tradecraft including the same RSA public key, similar naming conventions, and use of a compromised GitHub service account to redirect tags to attacker-controlled code. The malware used the domain `checkmarx.zone`, attempted token theft and exfiltration, and could create `docs-tpcp` repositories with stolen `GITHUB_TOKEN` credentials as a fallback channel.
May 11, 2026