“Current evidence indicates that this data originated from Checkmarx’s GitHub repositories, and that access to those repositories was facilitated through the initial supply chain attack of March 23, 2023,” Checkmarx said Monday. The company didn’t say what kinds of data were leaked. Checkmarx isn’t the only security company to suffer the aftereffects of the Trivy breach. Socket said that another security firm, Bitwarden, was also hit in the same supply-chain attack. Socket tied the Bitwarden breach to the Trivy campaign because the payload used the same C2 endpoint and core infrastructure as the Checkmarx malware. The Trivy attack was carried out by a group calling itself TeamPCP. The group is among the most successful access-broker operations, a class of hackers that smashes and grabs credentials from victims and then sells them to other hackers. The key to its ascendency is its targeting of tools that already have privileged access.…