Introduction
In early 2025, a sophisticated supply-chain attack targeted two major security firms—Checkmarx and Bitwarden—by first compromising a widely used vulnerability scanner called Trivy. Over the course of 40 days, attackers leveraged initial access to push malware to downstream users, eventually gaining control of Checkmarx's GitHub account and deploying ransomware. This guide breaks down the exact steps the attackers took, from the initial breach to the final payload. Understanding this sequence helps security teams build defenses against similar threats.
What You Need
- Basic understanding of software supply chains and CI/CD pipelines
- Familiarity with GitHub repositories and token management
- Knowledge of malware analysis (optional but helpful)
- A test environment to simulate attack vectors (recommended)
Step-by-Step Attack Sequence
Step 1: Breach the Trivy GitHub Account
The attackers began by compromising the official GitHub account of Trivy, an open-source vulnerability scanner maintained by Aqua Security. They likely used stolen credentials, session tokens, or a supply-chain attack against Trivy's own dependencies. Once inside, they gained full write access to the repository.
Step 2: Inject Malware into Trivy Releases
Using their elevated access, the attackers pushed malicious code into the Trivy repository. This malware was embedded in release artifacts and configured to execute during installation or runtime. The payload had two primary functions: scour infected machines for sensitive credentials (repository tokens, SSH keys, etc.) and establish a backdoor for remote control.
Step 3: Wait for Downstream Victims to Update
Because Trivy is widely used by security firms and DevOps teams, the infected version was downloaded and run by numerous organizations. Checkmarx was one such victim. When their systems executed the malicious Trivy binary, it exfiltrated GitHub tokens and SSH keys—including those belonging to Checkmarx’s own GitHub account.
Step 4: Use Stolen Credentials to Compromise Checkmarx’s GitHub
Armed with Checkmarx’s credentials, the attackers logged into the company’s GitHub account on March 23. They then pushed malware directly to Checkmarx’s repositories, targeting the company’s own customers. This made Checkmarx both a victim and an unwitting distribution channel for the same attack.
Step 5: Deploy Ransomware to Checkmarx’s Systems
After seizing control of the GitHub account, the attackers moved laterally within Checkmarx’s internal network. On a separate occasion (about 40 days from the initial breach), they deployed ransomware—a clear escalation from stealthy data theft to destructive extortion. The ransomware encrypted critical servers and databases, demanding payment in cryptocurrency.
Step 6: Target Bitwarden via Similar TTPs
Simultaneously, the attackers applied the same playbook against Bitwarden, a popular password manager. Although fewer details are public, evidence suggests they reused the stolen Trivy credentials or leveraged similar vulnerabilities in Bitwarden’s development pipeline. The goal was to poison Bitwarden’s updates and steal encryption keys or user secrets.
Conclusion & Tips for Defense
This attack shows how a single compromised dependency can cascade into a major breach of multiple security firms. To protect against similar supply-chain attacks:
- Harden GitHub access: Use branch protection rules, enforce MFA for all repository admins, and rotate tokens frequently.
- Audit third-party dependencies: Regularly scan your software supply chain using trusted but isolated tools (e.g., run Trivy in a sandbox).
- Implement credential hygiene: Never store long-lived tokens in code; use short-lived secrets managers instead.
- Monitor for anomalous releases: Alert on unexpected changes to release tags or hashes.
- Plan incident response for supply-chain breaches: Have a runbook that includes revoking all tokens and rebuilding from trusted upstream sources.
By understanding the attacker’s steps, your organization can build proactive defenses and respond faster when the next supply-chain attack hits.