Supply chain attacks hit Checkmarx and Bitwarden developer tools

Key Takeaways

• Threat actors compromised distribution channels for Checkmarx KICS and Bitwarden CLI on April 22, 2026.
• Malicious payloads targeted developer secrets, including GitHub/npm tokens, cloud credentials, SSH keys, and AI assistant configurations.
• Both attacks utilized the same C2 domain (audit.checkmarx.cx) for exfiltration, indicating a coordinated campaign.
• The Bitwarden payload weaponized stolen GitHub tokens to inject malicious workflows and used victim accounts as dead drops for stolen data.
• Attackers manipulated Git history in the Checkmarx compromise to backdate malicious commits to 2022.

Affected Systems

• Checkmarx KICS (Docker Hub tags: v2.1.20-debian, v2.1.20, debian, alpine, latest, v2.1.21)
• Checkmarx VS Code extensions (cx-dev-assist 1.17.0, 1.19.0; ast-results 2.63.0, 2.66.0)
• Checkmarx GitHub Actions (ast-github-action 2.3.35)
• Bitwarden CLI (@bitwarden/cli npm package version 2026.4.0)
• CI/CD Pipelines
• Developer Workstations

Attack Chain

Attackers compromised the distribution pipelines for Checkmarx KICS and Bitwarden CLI, publishing malicious versions to Docker Hub, Open VSX, GitHub Actions, and npm. Upon execution in developer environments, the payloads utilized the Bun runtime to execute JavaScript that harvested sensitive secrets, including cloud credentials, SSH keys, and AI assistant configurations. The Bitwarden payload additionally used stolen GitHub tokens to inject malicious workflows into victim repositories and created public repositories to act as dead drops for AES-256-GCM encrypted stolen data. All harvested data was exfiltrated to a shared C2 domain.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Sophos

Sophos provides endpoint protections (JS/Steal-EAP, JS/Agent-BLZZ, Linux/Agnt-HZ) and blocks the known C2 infrastructure across its products.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution of the Bun runtime and anomalous network connections from developer tools, but the malicious code runs within the context of legitimate CI/CD or developer processes, which may blend in with normal activity. Network Visibility: High — The payloads exfiltrate data to a specific, hardcoded C2 domain (audit.checkmarx.cx) and IP address, which can be easily monitored and blocked at the network perimeter. Detection Difficulty: Moderate — While the network IOCs are static and easy to detect, identifying the malicious behavior within highly privileged and noisy CI/CD pipelines requires careful baseline comparison and monitoring of cloud audit logs.

Required Log Sources

• DNS Logs
• Network Flow Logs
• Process Creation Logs
• GitHub Audit Logs
• CI/CD Pipeline Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected network connections to audit.checkmarx.cx or 94.154.172.43 originating from CI/CD runners or developer workstations.	Network Flow Logs, DNS Logs	Exfiltration	Low
Monitor GitHub Audit Logs for the unexpected creation of public repositories by developer accounts, which may indicate dead drop activity.	Cloud Audit Logs	Exfiltration	Medium
Identify unexpected modifications to GitHub workflows, particularly those committed by automated tokens or outside of normal change management windows.	Cloud Audit Logs	Persistence	Medium
Detect the execution of the Bun runtime if it is not a standard tool in the environment, especially when spawned by Checkmarx or Bitwarden processes.	Process Creation Logs	Execution	Low to Medium

Control Gaps

• Lack of egress filtering on CI/CD runners
• Over-permissive GitHub tokens
• Implicit trust in official package registries

Key Behavioral Indicators

• Creation of public GitHub repositories by user accounts
• Unexpected Bun runtime execution
• Modifications to GitHub workflows by compromised tokens

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Remove affected Checkmarx KICS and Bitwarden CLI versions immediately.
• Pin or downgrade to known-good releases.
• Block network traffic to audit.checkmarx.cx and 94.154.172.43.

Infrastructure Hardening

• Rebuild container images derived from affected KICS tags and purge caches.
• Implement strict egress filtering for CI/CD runners to prevent unauthorized exfiltration.

User Protection

• Rotate all potentially exposed credentials, including GitHub/npm tokens, cloud provider keys, and SSH keys.
• Review and rotate secrets embedded in AI assistant configurations (Claude, Cursor, Aider, MCP).

Security Awareness

• Audit GitHub accounts for unauthorized workflow injections and unexpected public repositories.
• Enforce MFA on all package registry and cloud accounts wherever it isn't already enabled.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.007 - Command and Scripting Interpreter: JavaScript
• T1552.004 - Unsecured Credentials: Private Keys
• T1552.005 - Unsecured Credentials: Cloud Instance Metadata API
• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
• T1048 - Exfiltration Over Alternative Protocol
• T1565.001 - Data Manipulation: Stored Data Manipulation

Additional IOCs

• Ips:
  • 94[.]154[.]172[.]43 - C2 server IP
• Domains:
  • audit[.]checkmarx[.]cx - C2 domain
• Urls:
  • hxxps://audit[.]checkmarx[.]cx/v1/telemetry - Exfiltration endpoint
• File Paths:
  • mcpAddon.js - Checkmarx payload executed via Bun runtime
  • bw_setup.js - Bitwarden loader script
  • bw1.js - Bitwarden obfuscated second-stage payload
• Other:
  • checkmarx/cx-dev-assist 1.17.0 - Malicious VS Code extension
  • checkmarx/cx-dev-assist 1.19.0 - Malicious VS Code extension
  • checkmarx/ast-results 2.63.0 - Malicious VS Code extension
  • checkmarx/ast-results 2.66.0 - Malicious VS Code extension
  • ast-github-action 2.3.35 - Malicious GitHub Action