A Major Attack Compromised Security Tools Used by Thousands of Companies

A group called TeamPCP carried out a sophisticated attack starting March 19 that broke into Trivy, a widely-used security checking tool, and compromised the accounts of several major security companies including Checkmarx and Bitwarden. Security researchers say this is one of the largest attacks of its kind in recent years. The attackers kept access to these systems for weeks after discovery.

What Happened and How Many Were Affected

On March 19, TeamPCP broke into the GitHub account of Aqua Security, the company that maintains Trivy. Once inside, they used stolen login credentials from a previous hack to get in, then inserted malicious code into the official versions of the tool that companies download and use.

Four days later, on March 23, the attackers moved to other targets. They broke into the GitHub accounts used by Checkmarx for two of their security scanning tools. When Checkmarx found out about the breach on March 23, they tried to kick the attackers out—but the intruders stayed hidden and kept working in those accounts for 40 days afterward.

CrowdStrike, a security firm, was the one who spotted the problem. They noticed unusual activity connected to Trivy and dug in to investigate. Bitwarden, another security company, was also caught up in this same attack.

How the Attack Worked

The malicious code the attackers inserted had an unusual feature: it could copy itself and spread automatically to new computers, without needing someone to manually activate it. Think of it like a virus that doesn't wait for you to click something—it just moves from one connected system to the next on its own.

The code also included a special function that wiped data specifically from computers in Iran. This detail suggests the attackers had goals beyond just stealing information—there appears to be a political or geographic motive here.

Trivy was a particularly effective target for this type of attack. Many companies use Trivy as part of their software development process to scan for security problems. By poisoning this one tool, the attackers could reach code development teams at dozens or hundreds of companies all at once.

Why This Was Hard to Stop

Once the attackers got into these security companies' accounts, they knew how to stay hidden. Even after Checkmarx found them and changed passwords, the intruders kept accessing the compromised accounts. For 40 days, they continued to deliver malicious code to Checkmarx customers.

This ability to stay hidden reveals a bigger problem. Modern software development relies on many interconnected tools and services. When one account is compromised, attackers may have already set up backup ways to get back in, making complete removal very difficult. The attackers in this case seemed to understand these systems well enough to maintain access even after companies thought they had locked them out.

Why This Matters

The broader context here is worth understanding. Over the past few years, hackers have shifted strategy. Instead of targeting individual companies, they now go after the tools that those companies rely on—tools designed to protect them. If you compromise a security tool, you compromise the defenses at every company using it. It is like breaking into a fire station: suddenly, the people counting on that fire station cannot get help.

We have seen this pattern before. In 2020, a huge attack on SolarWinds software infected the tools that companies use to manage their systems. More recently, hackers have gone after the public code repositories where developers share software. The TeamPCP attack combines these lessons: it targets multiple security vendors at once, hitting the very tools built to prevent these kinds of attacks.

The self-spreading malware here is particularly concerning. Older supply chain attacks required companies to actively pull a poisoned update. This code spreads on its own across connected systems, making it much harder to contain.

What Happens Next

For any organization that was using these compromised tools during the attack window, recovery is complicated. They cannot simply update to a fixed version and move on. They need to assume that malicious code may have been inserted into their own software projects and systems. That means extensive forensic work—going back through code, checking systems, and confirming nothing else is hidden.

The self-replicating nature of the malware makes this even more difficult. Standard cleanup methods may not be enough against a virus that keeps reproducing itself.

Kaspersky researchers have described this as one of the most significant attacks of this type in modern cybersecurity history. It highlights a real tension in software development: companies need to move fast and get products out the door, but they also need to validate and trust the tools they bring in to help them. When the tools themselves are compromised, that trust breaks down.

What this attack shows is that threat actors keep getting more sophisticated about how they target development infrastructure. The combination of persistent access, the ability to spread automatically, and precise targeting of where the code goes—these represent serious evolution in how supply chain attacks work. Security teams will need to adjust their defenses accordingly.