Skip to Content
Get started
Open search

Supply chain attacks hit Checkmarx and Bitwarden developer tools 

Two supply chain attacks, same day, same command-and-control domain 
Author - Sophos Logo

Written by Sophos X-Ops

Supply chain attacks hit Checkmarx and Bitwarden developer tools - Featured image
Threat ResearchSupply chainSophos X-OpspipelineBitwardenCheckmarx

Sophos X-Ops is aware of reports that two widely-used developer tools – the Checkmarx KICs security scanner and the Bitwarden CLI – were hijacked on April 22, 2026, to steal credentials from development environments. 

These attacks occurred within hours of each other and share the same command-and-control (C2) domain – potentially pointing to a single threat actor running a coordinated campaign.

Both vendors have since reportedly contained the incidents. This post walks through what happened, what was stolen, and what defenders should do now. Sophos protections are in place for both intrusions; detections and indicators are included at the end of this post.

The short version

A threat actor compromised the pipeline(s) and distribution channels of two developer-tooling vendors, seemingly on the same day. Malicious versions of Checkmarx KICS (distributed via Docker Hub, Open VSX, and GitHub Actions) and the Bitwarden CLI (distributed via npm) were pushed to official channels and presented as legitimate releases. 

Both malicious payloads attempted to harvest the following sensitive information:

  • GitHub and npm tokens
  • SSH keys
  • Cloud provider credentials
  • AI assistant configurations

Moreover, both payloads attempted to exfiltrate stolen data to audit.checkmarx[.]cx (94.154.172[.]43).

It’s worth noting that, just last month, a threat actor known as TeamPCP compromised Checkmarx’s GitHub Actions for two repositories, apparently leveraging previously stolen CI/CD secrets. Repositories for Trivy, Telnyx, and LiteLLM were also reportedly affected in those attacks.

At this time, we have no intelligence to suggest that the most recent attacks are connected to that campaign.

Incident 1: Checkmarx KICS

Checkmarx KICS is an open-source infrastructure-as-code security scanner used widely across CI/CD pipelines. On April 22, an attacker pushed malicious artifacts across three distribution channels:

  • Docker Hub. The checkmarx/kics repository — which has over five million cumulative pulls — received tampered images under tags v2.1.20-debian, v2.1.20, debian, alpine, and latest, plus a newly introduced tag v2.1.21. Inside each image, the Go-based KICS ELF binary had been modified to add unauthorized telemetry and an exfiltration routine that encrypted scan reports and sent them to the attacker's endpoint.
  • Open VSX / VS Code extensions. Two official Checkmarx extensions were reportedly tampered with: checkmarx/cx-dev-assist (versions 1.17.0 and 1.19.0) and checkmarx/ast-results (versions 2.63.0 and 2.66.0). Combined installs exceeded 1,000 at the time of analysis. The attacker added a hidden ‘MCP addon’ feature that pulled a ~10MB payload (mcpAddon.js) from a hardcoded GitHub URL and executed it via the Bun runtime on extension activation. Notably, the attacker manipulated Git history to backdate the introducing commit to 2022, making the malicious feature appear to be long-established code.
  • GitHub Actions. The ast-github-action repository was tagged with a malicious release (2.3.35) carrying the same credential-theft logic.

mcpAddon.js is designed to sweep development environments for high-value secrets, including GitHub tokens, npm tokens, AWS/Azure/GCP credentials, SSH keys, environment variables, and configuration files for Claude and other AI tools. This harvested data is then exfiltrated to hxxps://audit[.]checkmarx[.]cx/v1/telemetry.

Incident 2: Bitwarden CLI

Also on April 22, an attacker compromised a GitHub Action used in Bitwarden's CI/CD pipeline and published a trojanized @bitwarden/cli version 2026.4.0 to npm. The malicious package was live for approximately 90 minutes, between 17:57 and 19:30 ET, before being pulled. The package draws more than 70,000 weekly downloads.

There are similarities with the Checkmarx payload described above. A preinstall hook invoked a loader (bw_setup.js) that downloaded the Bun runtime and launched an obfuscated second-stage payload (bw1.js). That payload targeted similar assets (GitHub and npm tokens, SSH keys, shell history, cloud credentials, and AI tool configurations for Claude, Cursor, and Aider), then encrypted the collected data with AES-256-GCM and exfiltrated it to the same audit.checkmarx[.]cx endpoint.

Two features of this payload stand out. First, stolen GitHub tokens were weaponized in-line: the payload used them to inject malicious workflows into victim repositories, giving the attacker a durable foothold and an automated path to spreading further. Second, the attacker created public repositories in victim GitHub accounts and stored the encrypted stolen data inside them – essentially using the victim's own infrastructure as a dead drop.

To our knowledge, only the CLI npm package was affected; the Bitwarden browser extensions, desktop apps, mobile apps, and user vault data were not compromised.

Implications

These attacks targeted tools in which trust plays a central role: a security scanner and a password manager. Both run in high-privileged contexts, where credential material is abundant and scrutiny of tool behavior may be low. A stolen cloud credential or long-lived GitHub token harvested from one developer's machine is a potential foothold for an entire production infrastructure.

The shared C2, payload similarities, and the deliberate targeting of AI assistant configurations (Claude, Cursor, Aider, and MCP configs) could indicate a threat actor who understands modern development environments and is collecting with an eye toward pivoting later.

What to do now

If your organization consumed any of the affected artifacts during the time period described, treat the affected hosts as compromised and act accordingly:

  1. Remove the malicious versions immediately. Pin or downgrade to known-good releases, rebuild any container images derived from the affected KICS tags, and purge caches.
  2. Rotate credentials. GitHub and npm tokens, cloud provider keys (AWS, Azure, GCP), SSH keys, and any CI/CD secrets that may have been present on affected hosts should be considered compromised. Rotate them, and audit for use from unfamiliar IPs.
  3. Audit GitHub for injected workflows and unexpected repositories. The Bitwarden payload both modified existing workflows and created new public repositories in victim accounts. Review workflow history and the repository list for any accounts a compromised token could access.
  4. Enable MFA on package registry and cloud accounts wherever it isn't already on
  5. Review AI assistant configurations. If Claude, Cursor, Aider, or MCP configuration files were present on an affected host, assume the contents were exfiltrated. Rotate any embedded secrets.

Further information is available in Checkmarx’s security advisory and Bitwarden’s statement.

Sophos protections    

Sophos has the following protections in place relating to the described attacks:

  • JS/Steal-EAP
  • JS/Agent-BLZZ
  • Linux/Agnt-HZ

The known attacker C2 infrastructure is blocked across Sophos products. Our Managed Detection and Response (MDR) teams are conducting threat hunts.

Indicators of compromise

Affected artifacts

  • Docker Hub: checkmarx/kics — tags v2.1.20-debian, v2.1.20, debian, alpine, latest, v2.1.21
  • Open VSX: checkmarx/cx-dev-assist versions 1.17.0, 1.19.0
  • Open VSX: checkmarx/ast-results versions 2.63.0, 2.66.0
  • GitHub Actions: ast-github-action tag 2.3.35
  • npm: @bitwarden/cli version 2026.4.0 (live 17:57–19:30 ET, April 22, 2026)

Network

  • audit[.]checkmarx[.]cx
  • 94.154.172[.]43
  • hxxps://audit.checkmarx[.]cx/v1/telemetry

Sophos X-Ops is continuing to track this campaign and will update this post as new information becomes available.

About the author

Author - Sophos Logo

Sophos X-Ops