Supply chain attacks hit Checkmarx and Bitwarden developer tools

Sophos reports that on April 22, 2026 attackers compromised distribution pipelines for two widely used developer tools—Checkmarx KICS and the Bitwarden CLI—by publishing trojanized releases (via Docker Hub, Open VSX, GitHub Actions, and npm). The malicious payloads harvested high-value secrets (GitHub/npm tokens, SSH keys, cloud credentials, AI assistant configs), encrypted them, and exfiltrated data to audit.checkmarx.cx (94.154.172.43); the Bitwarden package additionally weaponized stolen GitHub tokens to inject workflows and used victim repositories as dead drops. Sophos provides detections, IOCs, and remediation guidance including removal of malicious versions, credential rotation, audit of GitHub workflows/repos, and enabling MFA.