TL;DR —
-
- What happened: On April 22, 2026, attackers hijacked the official release pipelines for Checkmarx KICS (Docker Hub, Open VSX/VS Code extensions, and GitHub Actions) and the Bitwarden CLI (npm), publishing trojanized “legitimate” updates that quietly looted developer environments.
- Both payloads scraped GitHub and npm tokens, SSH keys, cloud credentials, and AI assistant configs (Claude, Cursor, Aider, MCP), then exfiltrated to a shared command-and-control endpoint.
- The Bitwarden payload also weaponized stolen GitHub tokens in real time—injecting malicious workflows and creating public “dead drop” repositories inside victim accounts.
- Attackers exploited the strongest trust signal a developer has—an “official” update from a security scanner or password manager—so they avoid more closely examining the update’s contents or details.
- What happened: On April 22, 2026, attackers hijacked the official release pipelines for Checkmarx KICS (Docker Hub, Open VSX/VS Code extensions, and GitHub Actions) and the Bitwarden CLI (npm), publishing trojanized “legitimate” updates that quietly looted developer environments.
- What you can do:
-
- Treat every dependency update as untrusted input until reviewed—even from “trusted” publishers.
- Rotate every token, key, and credential that was on a developer or CI host during the April 22 window.
- Pin versions and never auto-pull from “latest” or floating tags.
- Audit GitHub for unexpected workflows or new public repos under your accounts.
- Want to go deeper? Fable’s ebook “One ish, two ish: How to prevent modern phishing” covers more modern social engineering attacks like this one—no email required.
Socket: Two trusted developer tools hijacked on the same day
On April 22, 2026, Socket researchers confirmed that attackers hijacked the official release pipelines for two of the most trusted developer tools on the planet within hours of each other, removing victim data and secrets to the same attacker-owned servers.
| Impacted Tool | Description | Malicious actions |
| Checkmarx KICS | An open-source infrastructure-as-code security scanner with over five million cumulative pulls | Tampered Docker Hub images shipped under tags including latest, alpine, debian, and a brand new v2.1.21. |
| Two official Checkmarx VS Code extensions on Open VSX (cx-dev-assist and ast-results) were modified with a hidden “MCP addon” that pulled a 10MB second-stage payload from a hardcoded GitHub URL on extension activation. | ||
| The ast-github-action repo got a malicious release tag (2.3.35) carrying the same credential-theft logic. | ||
| Bitwarden CLI | A security tool that draws over 70,000 weekly downloads and serves a password manager used by 10+ million people | Compromised Bitwarden’s CI/CD pipeline via GitHub Action. |
| Published trojanized version “@bitwarden/cli@2026.4.0” to npm for 90 minutes. |
Both attacks sought the same prizes:
- GitHub and npm tokens
- AWS / Azure / GCP credentials
- SSH keys
- Environment variables
- Shell history
- AI assistant configuration files—including configs for:
- Claude
- Cursor
- Aider
- MCP servers
And, both attacks encrypted and sent their loot to the same domain (audit.checkmarx[.]cx).
The Bitwarden attack actually pushed further, using stolen GitHub tokens in-line—right after harvesting them!—to inject malicious workflows into victim repos and create new public repositories inside victim GitHub accounts. Those repos served as dead drops, with encrypted stolen data committed under Dune-themed names like “sandworm-fremen-042” and “atreides-mentat-117”. (Sound familiar?)
So while there’s no phishing email to forward to your security team here, the attack is on the human victim themselves—weaponizing developer trust in “official” update channels to convince an engineer to install code that quietly loots their entire dev environment.
Weaponized trust during Checkmarx and Bitwarden supply-chain attacks
There’s no phishing email lure here—as far as we know, anyway, since we’re currently unsure how threat actors originally compromised Checkmarx and Bitwarden CLI—but attackers still wielded social engineering to manipulate developers via channel-level trust exploitation.
See, both Bitwarden and Checkmarx are security brands. Developers don’t just trust them by habit; they trust them by reputation and assumed industry standards.
The malicious updates rode that trust into thousands of dev machines and CI pipelines without anyone needing to click anything ill-advised. Frankly, the attacks were both classic examples of “trusted relationship” abuse—listed as T1199 in the MITRE ATT&CK tactics, techniques, and procedures (TTPs).
T1199 is the same technique deployed during business email compromises (BECs), in which attackers infect a trusted vendor, supplier, or coworker’s email to help victims “turn off” their critical thinking brain while the attacker encourages them to divert funds or intellectual property from authorized channels.
Employees most at-risk of social engineering supply-chain attacks exploiting trusted relationships
It’s mostly developers with other compounding risky behaviors who are most vulnerable to the Checkmarx / Bitwarden supply-chain attack or others like it.
However, there are a few unique toxic combinations of employee groups you’ll want to keep an eye on during the fallout of this particular campaign.
| Vulnerable employee cohorts to Checkmarx / Bitwarden supply-chain attack (and similar) | Details |
| Developers and DevOps engineers
x Auto-update or rely on floating tags |
Pulling from latest, unpinned npm versions, or auto-merged dependabot PRs is precisely the workflow this attack exploits.
Combine that workflow with long-lived broad-scope tokens stored on dev machines, and you’ve got the classic toxic combination we featured in the Human Risk Report, Vol. 2: Elevated access + Outdated practices |
| Engineers
x Authorized or known use of AI coding tools (e.g., Claude, Cursor, Aider, MCP) |
Both payloads went out of their way to scrape AI assistant configuration files. If your engineers store API keys, MCP server tokens, or model credentials in those configs—and most do—those secrets were the target.
(Also, given the malware’s anti-AI ideological framing noted by both Socket and Sophos researchers, it seems attackers specifically wanted to hurt AI tool users. This cohort will be explicitly targeted during any future attacks by this threat group, likely using credentials stolen during this attack.) |
| Security teams and security-tool vendor employees | That includes any security people reading this bulletin!
The paradoxical risk: security teams trust security tools more than anyone else, often install them in elevated contexts, and routinely communicate with vendors and researchers in ways that look exactly like a social engineering setup. The Open VSX extensions hit here are used by exactly this cohort. |
| Engineers at smaller teams
x Missing or uninforced / unshared code review and pinning policies |
Startups and small platform teams that auto-merge dependency updates or skip code review for “internal-only” tooling are especially exposed.
The attack doesn’t care how big your team is; it cares whether you reviewed the diff. |
| Users with a history of cleartext secrets
x Storage in dotenv files, shell history, or AI tool configs |
Per HRR Vol. 2, cleartext secrets are a top-10 risky behavior—and this attack is a textbook reason why.
The malware specifically targets .env, .npmrc, .git-credentials, and shell history files. |
How developers and security teams can avoid trojanized supply-chain updates like the Checkmarx and Bitwarden attacks
- Treat dependency and tool updates as untrusted input, unless your organization has a security tool that analyzes update packages for malicious code.
- Pin specific known-safe package versions and avoid “latest” or floating tags.
- Upgrade only via reviewed pull requests—even from “trusted” publishers like Bitwarden and Checkmarx.
- Dependabot pull-requests (PRs) are fine; auto-merging them without a human-in-the-loop review is not.
- Verify publisher signatures and SBOM hashes, where available.
- Where they’re not, treat the absence itself as a signal.
- Minimize token scope and lifetime.
- Short-lived tokens with narrow scopes survive a compromise. Long-lived broad-scope GitHub package access trojans (PATs) sitting in “~/.npmrc” will not survive a compromise.
- Never store secrets in dotenv files, shell history, or AI assistant configs. Use an approved secret manager.
- Yes, it’s a few more keystrokes; yes, it’s worth it.
- Enable MFA on every package registry, cloud provider, and developer account.
- I’m talking npm, Docker Hub, Open VSX, GitHub, AWS, Azure, GCP, all of it.
- As with any compromise, rotate any exposed keys promptly if the affected versions ran on a developer or CI host during the April 22 window.
- Don’t wait for “confirmed compromise”—you won’t get it in time.
- Audit GitHub Actions and your repo lists routinely.
- Look for unexpected workflows, surprise public repos under your account or org—especially Dune-named ones, as we’re dealing with possibly Shai-Hulud-affiliated threat actors—and any outbound traffic to previously unnoticed or odd domains (e.g., audit.checkmarx[.]cx).
- Report supply chain anomalies—even small ones—to your security team.
- A weird npm install warning, a Bun process that shouldn’t exist, an unexplained new public repo under your account? Report it.
- These attacks depend on the time gap between compromise and detection, and you control that gap.
To learn more about phishing lures that also abuse trusted relationships, like BEC attacks, check out Fable Security’s free ebook, “One ish, two ish: How to prevent modern phishing“—no email required.
