Securing Your Software Supply Chain: Lessons from the Checkmarx and Bitwarden Attacks

Overview

Supply-chain attacks have become a leading threat to organizations, particularly those in the security space. In early 2025, two prominent security firms—Checkmarx and Bitwarden—fell victim to a coordinated campaign that exploited vulnerabilities in their software distribution pipelines. Over a span of 40 days, Checkmarx experienced a supply-chain breach via the Trivy vulnerability scanner, followed by a direct compromise of its own GitHub repository, and finally a ransomware attack. Bitwarden, too, was targeted in what appears to be the same campaign. This tutorial dissects the attack chain, outlines critical defenses, and provides actionable steps to protect your own software supply chain from similar threats.

By the end of this guide, you'll understand how attackers infiltrated these security firms, the common pitfalls that enabled the breaches, and how to implement robust security measures—from repository hygiene to credential rotation—to safeguard your development and deployment pipelines.

Prerequisites

Before diving into the step-by-step analysis, ensure you have a basic understanding of:

• Software supply chain concepts – How dependencies, CI/CD pipelines, and code repositories interact.
• GitHub workflows – Knowledge of repositories, actions, secrets, and access controls.
• Credential management – Familiarity with tokens, SSH keys, and environment variables.
• Basic security terminology – Malware, ransomware, account takeover, and remediation.

You do not need advanced penetration testing skills, but a willingness to adopt security-first practices is essential.

Step-by-Step: Dissecting the Attack and Building Defenses

Step 1: Understand the Initial Supply-Chain Breach

The attack began on March 19, 2025, when Checkmarx—a user of the widely used Trivy vulnerability scanner—received malicious updates through no fault of its own. Attackers had previously compromised the Trivy GitHub account and pushed malware camouflaged as legitimate updates. The malware, upon installation, stealthily searched for repository tokens, SSH keys, and other credentials on the infected machine.

Key Takeaway: Even when you trust a dependency, its upstream security can be compromised. Always treat third-party components as potential threats.

Step 2: Identify How Attackers Pivoted to Checkmarx’s GitHub

By April 23, the attackers had obtained Checkmarx’s own GitHub credentials—likely exfiltrated during the initial Trivy infection. They then used those credentials to push fraudulent malware directly from Checkmarx’s own repository to its customers. Checkmarx detected and remediated the breach, replacing the malicious artifacts with legitimate ones—but the damage was done.

Actionable Mitigation:

• Rotate all credentials immediately after any suspected compromise.
• Enable GitHub’s secret scanning and push protection to block accidental exposure of tokens.
• Implement branch protection rules that require code review and automated security checks before merging.

Code snippet: GitHub Action to detect unexpected credential exposures

name: Secret Leak Detection
on: [push, pull_request]
jobs:
  secret-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: markmap/secrets-scanner@v1
        with:
          high_confidence_only: true

Step 3: Recognize the Ransomware Aftermath

Weeks later, ransomware struck Checkmarx—a fame-seeking group claimed responsibility. This attack was not a direct part of the supply-chain incident, but it exploited the weakened security posture created by the earlier breaches. Bitwarden similarly reported suspicious activity, though details remain sparse.

Defense Strategy:

• Maintain offline backups to avoid ransom dependency.
• Segment networks so that a developer compromise doesn’t cascade to production servers.
• Conduct regular tabletop exercises simulating supply-chain attacks.

Step 4: Fortify Your Own Supply Chain

Based on the Checkmarx and Bitwarden incidents, here is a comprehensive checklist:

1. Audit your dependencies – Use tools like npm audit or snyk test to identify known vulnerabilities.
2. Enforce multi-factor authentication (MFA) on all code repository accounts and CI/CD systems.
3. Limit token lifetimes – Use short-lived tokens and rotate them automatically via secrets management tools (e.g., HashiCorp Vault).
4. Monitor for anomalous commits – Check for unexpected changes to package.json, Dockerfile, or build scripts.
5. Implement signed commits – Require all developers to sign their commits with GPG or SSH keys.

Example configuration for required commit signing in GitHub:

git config --global commit.gpgsign true
git config --global user.signingkey YOUR_KEY_ID

Step 5: Establish an Incident Response Plan

When a supply-chain breach is suspected, act fast:

• Isolate infected systems immediately.
• Revoke all exposed credentials and generate new ones.
• Notify downstream users and provide clear instructions for verifying software integrity.
• Conduct a root cause analysis to prevent recurrence.

Jump to Common Mistakes

Common Mistakes and How to Avoid Them

Mistake 1: Trusting Dependencies Blindly

Many teams assume that security vendors are infallible. The Checkmarx incident proves that even security firms can be used as delivery mechanisms. Always verify checksums, use private package mirrors, and pin dependency versions.

Mistake 2: Delayed Credential Rotation

After the first breach, Checkmarx contained the immediate issue but may not have rotated all credentials promptly. This allowed attackers to re-enter. Automate credential rotation with a maximum 7-day policy.

Mistake 3: Ignoring the Human Element

Ransomware often arrives through phishing. Combine technical controls with security awareness training. Teach employees to recognize social engineering tactics.

Mistake 4: Overlooking Non-Code Artifacts

Attackers can inject malware into documentation, README files, or GitHub Actions workflows. Scan all files—not just source code—for malicious patterns.

Mistake 5: Failing to Plan for Ransomware After a Supply-Chain Breach

The two attacks on Checkmarx were linked; the ransomware capitalized on the chaos. Have separate, air-gapped backups ready.

Summary

Supply-chain attacks like those against Checkmarx and Bitwarden demonstrate that even security firms are not immune. By understanding the attack chain—initial dependency compromise, credential theft, repository takeover, and subsequent ransomware—you can build layered defenses. Prioritize strong access controls, continuous monitoring, and rapid incident response. Stay vigilant: your code is only as secure as the weakest link in your supply chain.