Introduction to Supply-Chain Attacks
A recent supply-chain attack has singled out security firms Checkmarx and Bitwarden, highlighting the risks of such breaches. The attack, which was carried out by a group calling itself TeamPCP, demonstrates the cascading effects a single breach can have.
Checkmarx reported that the attack originated from its GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack. The company did not disclose what kinds of data were leaked. Bitwarden also reported a breach, stating that a malicious package was briefly distributed through the npm delivery path.
Impact on Security Firms
The incidents demonstrate the risks that security firms face in terms of supply-chain attacks. Security organizations are particular targets because of their products’ close proximity to sensitive data and their wide distribution across the Internet. As Socket CEO Feross Aboukhadijeh noted, attackers are treating security tools as both a target and a delivery mechanism.
This highlights the importance of robust security measures for security firms, as well as the need for vigilance in detecting and responding to potential breaches. The fact that both Checkmarx and Bitwarden were affected by the same attack suggests that there may be further downstream compromises as a result.
Source
Original reporting by Ars Technica(https://arstechnica.com/information-technology/2026/04/why-a-recent-supply-chain-attack-singled-out-security-firms-checkmarx-and-bitwarden/).