When the Shield Becomes the Spear: Checkmarx and Bitwarden Fall to the Same Supply-Chain Campaign

A supply-chain intrusion from March 2023 has resurfaced as a multi-vendor crisis, with security firms Checkmarx and Bitwarden both confirming exposure tied to the same campaign. The incident underscores a hardening strategic doctrine among sophisticated threat actors: breach the defenders first, then exploit their privileged position to cascade through everything downstream.

The Trivy Breach and Its Long Tail

Checkmarx confirmed this week that data was exfiltrated from its GitHub repositories as a direct consequence of an attack dated March 23, 2023. Cybersecurity research firm Socket has since linked a separate incident at Bitwarden to the same operation — forensic analysis found the Bitwarden payload sharing command infrastructure with the Checkmarx intrusion, a technical overlap strong enough to attribute both breaches to a single campaign.

The group behind that campaign is TeamPCP, one of the most active access-broker operations currently tracked by researchers. Unlike ransomware crews that deploy payloads themselves, access brokers specialize in harvesting privileged credentials and selling them onward. TeamPCP’s defining characteristic is its deliberate focus on tools that already hold elevated permissions inside enterprise networks.

Lapsu$: The Downstream Buyer

According to Ars Technica, stolen Checkmarx credentials appear to have been acquired by Lapsu$, a ransomware collective whose members are largely teenagers. The group has established a track record of penetrating large technology organizations — relying heavily on purchased access and social engineering rather than novel exploits.

The Lapsu$ connection reveals the full commercial structure of a modern supply-chain attack: TeamPCP as the specialist intrusion layer, Lapsu$ as the monetization layer. Security vendors are especially prized entry points because their products are distributed widely and sit adjacent to the most sensitive data in any organization.

Why This Matters

Socket CEO Feross Aboukhadijeh framed the strategic logic plainly, writing that attackers are “treating security tools as both a target and a delivery mechanism … then using those same products to steal credentials and move to the next victim.”

With Checkmarx and Bitwarden now both confirmed as compromised, the exposure extends outward to their customer bases. Each vendor’s products are embedded in development pipelines and credential management flows — high-trust environments where further exploitation could produce yet another generation of downstream victims. The Trivy campaign is a sharp demonstration that the supply-chain attack surface now includes the very tools organizations deploy to defend it.