Both a target and delivery mechanism
Four days later, Checkmarx’s GitHub account was compromised and began pushing malware to the security firm’s users. The company contained and remediated the breach and replaced the malware with the legitimate apps. Or so Checkmarx thought.
On April 22, the company’s GitHub account pushed a new wave of malware, suggesting either that the previous breach hadn’t been fully fixed or that a new, unidentified hack had occurred. The company once again worked to boot the attackers out of the account. According to security firm Socket, the official Checkmarx/kics Docker Hub repo also published malicious packages around the same time.
On Monday, Checkmarx disclosed there was another chapter to the saga. The company said that a ransomware group tracked as Lapsu$ last week dumped a tranche of private data onto the dark web. The date stamp of the dumped material was March 30. Based on the date stamp, it appears that the attackers maintained their access to the GitHub account following Checkmarx’s March 23 discovery of the compromise, and attempts to drive them out failed.
“Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023,” Checkmarx said Monday. The company didn’t say what kinds of data were leaked.
Checkmarx isn’t the only security company to suffer the aftereffects of the Trivy breach. Socket said that another security firm, Bitwarden, was also hit in the same supply-chain attack. Socket tied the Bitwarden breach to the Trivy campaign because the payload used the same C2 endpoint and core infrastructure as the Checkmarx malware.
The Trivy attack was carried out by a group calling itself TeamPCP. The group is among the most successful access-broker operations, a class of hackers that smashes and grabs credentials from victims and then sells them to other hackers. The key to its ascendency is its targeting of tools that already have privileged access.
In the case of Checkmarx, it appears TeamPCP sold access credentials to Lapsu$, a ransomware group made up mostly of teenagers known as much for its skill in breaching large companies as its taunts and braggadocio once it succeeds.
The incidents demonstrate the cascading effects a single breach can have. With both Checkmarx and Bitwarden affected, it’s possible that there will be new attacks on their customers or partners, and that even more downstream compromises could result from those. Socket CEO Feross Aboukhadijeh said in an email that security organizations are particular targets because of their products’ close proximity to sensitive data and their wide distribution across the Internet.
“You will see this same thread throughout these compromises,” Aboukhadijeh said. “Attackers are treating security tools as both a target and a delivery mechanism. They are attacking the products that are supposed to protect the supply chain, then using those same products to steal credentials and move to the next victim.” Senior Security Editor
Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and on Bluesky. Contact him on Signal at DanArs.82.
