THE article details a continued supply-chain compromise tied to the Trivy vulnerability scanner, which began with a March breach of the Trivy GitHub account on 19 March and extended to Checkmarx when its GitHub account was compromised four days later. Checkmarx reportedly remediated the breach and replaced the malware, but a second wave appeared on 22 April, with the GitHub account again pushing malicious content and the Docker Hub repository also publishing harmful packages.
On 30 March 2023, data dumped by a ransomware group named Lapsu$ appeared to originate from Checkmarx’s GitHub repos, suggesting ongoing access after an initial discovery on 23 March 2023. The same Trivy campaign also affected Bitwarden, with Socket noting the breach linked to the same infrastructure and C2 endpoint as the Checkmarx malware, according to Socket.
The piece attributes the activity to a group calling itself TeamPCP, a known access broker, and highlights the cascading risk to customers and partners of security firms whose products sit close to sensitive data.