Why a recent supply-chain attack singled out security firms Checkmarx and Bitwarden

Checkmarx, a prominent security firm, has been targeted in a series of attacks over the past 40 days, including at least one supply-chain attack that delivered malware to customers on two separate occasions¹. The first incident occurred on March 19, when the Trivy vulnerability scanner, used by Checkmarx, was compromised, allowing attackers to push malware to Trivy users. This was followed by a ransomware attack from a well-known hacking group. Another security firm, Bitwarden, was also targeted in a similar supply-chain attack. The attacks highlight the vulnerability of security companies to supply-chain attacks, which can have devastating consequences for their customers. The fact that Checkmarx, a firm specializing in security, was breached multiple times raises concerns about the effectiveness of its security measures. This matters to security practitioners because it underscores the need for robust supply-chain risk management and the importance of regularly assessing the security of third-party vendors.