{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/open-vsx/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["KICS","cx-dev-assist","ast-results","@bitwarden/cli","Docker Hub","Open VSX","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["supply-chain","credential-theft","malware"],"_cs_type":"advisory","_cs_vendors":["Checkmarx","Bitwarden","GitHub","npm"],"content_html":"\u003cp\u003eOn April 22, 2026, Checkmarx and Bitwarden experienced supply chain attacks where threat actors compromised their distribution channels to deliver malicious versions of their developer tools. Checkmarx KICS, a security scanner, was affected via tampered images on Docker Hub (tags v2.1.20-debian, v2.1.20, debian, alpine, latest, v2.1.21), malicious extensions on Open VSX (cx-dev-assist versions 1.17.0, 1.19.0 and ast-results versions 2.63.0, 2.66.0), and a malicious release on GitHub Actions (tag 2.3.35). The Bitwarden CLI was compromised with a trojanized version 2026.4.0 published to npm. The attackers aimed to steal credentials, including GitHub and npm tokens, SSH keys, cloud provider credentials, and AI assistant configurations, exfiltrating the data to audit.checkmarx[.]cx (94.154.172[.]43). These attacks highlight the risk of compromised software supply chains and the potential for widespread data theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises the CI/CD pipeline or distribution channel of Checkmarx and Bitwarden.\u003c/li\u003e\n\u003cli\u003eMalicious KICS images are pushed to Docker Hub with tampered Go binaries.\u003c/li\u003e\n\u003cli\u003eCheckmarx extensions on Open VSX are modified to include a hidden \u0026lsquo;MCP addon\u0026rsquo; feature, downloading and executing a payload from a hardcoded GitHub URL.\u003c/li\u003e\n\u003cli\u003eA malicious release (2.3.35) is tagged on the ast-github-action repository.\u003c/li\u003e\n\u003cli\u003eThe trojanized @bitwarden/cli version 2026.4.0 is published to npm.\u003c/li\u003e\n\u003cli\u003eThe malicious payloads harvest sensitive information, including GitHub tokens, npm tokens, AWS/Azure/GCP credentials, SSH keys, environment variables, and AI configuration files.\u003c/li\u003e\n\u003cli\u003eStolen GitHub tokens are used to inject malicious workflows into victim repositories.\u003c/li\u003e\n\u003cli\u003eCollected data is encrypted and exfiltrated to audit.checkmarx[.]cx.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe attacks on Checkmarx and Bitwarden developer tools could have severe consequences. A stolen cloud credential or GitHub token from a developer\u0026rsquo;s machine can be a foothold for an entire production infrastructure. The compromise of Bitwarden CLI could lead to exposure of stored passwords. Successful exfiltration of sensitive data from development environments allows attackers to access and control critical systems, potentially leading to data breaches, financial loss, and reputational damage. The Bitwarden CLI package draws more than 70,000 weekly downloads, indicating a potentially wide impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections for outbound traffic to the C2 domain \u003ccode\u003eaudit.checkmarx[.]cx\u003c/code\u003e (IOC - Domain).\u003c/li\u003e\n\u003cli\u003eInspect running containers for the presence of tampered KICS images based on the affected Docker Hub tags (IOC - Docker Hub).\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for dependencies installed via npm, specifically flagging the compromised \u003ccode\u003e@bitwarden/cli\u003c/code\u003e version 2026.4.0 (IOC - npm).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect processes executing javascript downloaded from unusual github URLs.\u003c/li\u003e\n\u003cli\u003eReview GitHub Action workflows for suspicious modifications or injections using stolen tokens, as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T20:54:49Z","date_published":"2026-05-11T20:54:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-supply-chain-checkmarx-bitwarden/","summary":"On April 22, 2026, Checkmarx and Bitwarden suffered supply chain attacks where malicious versions of their developer tools were distributed through official channels, attempting to harvest sensitive information such as GitHub and npm tokens and exfiltrating data to audit.checkmarx[.]cx.","title":"Supply Chain Attacks Target Checkmarx and Bitwarden Developer Tools","url":"https://feed.craftedsignal.io/briefs/2026-05-supply-chain-checkmarx-bitwarden/"}],"language":"en","title":"CraftedSignal Threat Feed — Open VSX","version":"https://jsonfeed.org/version/1.1"}