Socket

🚀 Socket Launch Week Day 4: Introducing Data Exports! You can now send Socket alert changes directly to cloud storage in AWS S3, Google Cloud Storage, or Azure Blob Storage. Data Exports is easy to set up and lets you choose the format and delivery mode that fit your workflow: JSON, CSV, or Parquet, with full snapshot or incremental exports. Now available for Enterprise customers: https://lnkd.in/erppdfQY

🔺 We updated our technical analysis for the Bitwarden compromise. This is the third supply chain compromise in 3 days: a security scanner, an AI agent CLI, and a password manager CLI. Attackers are hammering tools with privileged access to infrastructure, so keep your eyes open this week. This is life now.

🚨 Bitwarden CLI compromised in active supply chain attack. @bitwarden/cli version 2026.4.0 contains malicious code in bw1.js, published after attackers compromised a GitHub Action in Bitwarden's CI/CD pipeline. This is part of the broader Checkmarx supply chain campaign that has been hitting multiple repositories through the same GitHub Actions vector. Bitwarden is the latest confirmed target. We're conducting a full technical analysis now and will publish IOCs, affected version details, and remediation guidance. If you use Bitwarden CLI: • Review your CI logs for unexpected behavior in recent builds • Rotate any secrets that may have been exposed to the compromised workflow • Pin to a known-good version until this is resolved Developing story...

🚨 Bitwarden CLI 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline. We’ll continue updating our coverage as more details are confirmed. https://lnkd.in/ek5zfyKT

🚀 Socket Launch Week Day 3: We’re excited to launch Organization Notifications! This new feature helps teams stay on top of organization-level alert activity with filtered, batched notifications that make updates easier to route, review, and act on. At launch, Organization Notifications includes: → subscriptions for alert created, changed, and cleared events → filters for category, severity, priority, and repository → notification summaries built for triage ⚡ Learn more: https://lnkd.in/eMd7WAsJ

🚨 New findings in our Checkmarx compromise investigation: - VS Code / Open VSX extensions delivered a second-stage payload as mcpAddon.js - It was silently downloaded from a hardcoded GitHub URL pinned to a specific commit in Checkmarx’s own repo - It was executed via Bun - The malware harvested GitHub, AWS, Azure, GCP, npm, SSH, env vars, and MCP-related credentials - Stolen GitHub tokens were used to create public repos for staging exfiltrated data - The malware injected malicious GitHub Actions workflows to capture repository secrets - Stolen npm credentials were used to identify writable packages for downstream propagation - TeamPCP appears to be taking credit publicly Full technical analysis: https://lnkd.in/ey4MybiF We’ll keep updating the post as we learn more.

🚨 BREAKING: Socket and Docker, Inc uncovered what appears to be a broader Checkmarx supply chain compromise affecting official KICS Docker images and recent Checkmarx VS Code extension releases. We found malicious images in the official checkmarx/kics Docker Hub repo, including overwritten tags and a new tag outside the normal release flow. Our analysis also found signs that recent Checkmarx extension releases introduced code capable of downloading and executing what appears to be a malicious remote add-on. We’re in touch with the Checkmarx team and still investigating the incident. Link with more details in the comments.

🚨 Breaking: Namastex Labs, the team behind Automagik[.]dev, hit with a supply chain attack affecting its npm packages. The malicious versions replicate TeamPCP-style Canister Worm tradecraft, including secret theft, exfiltration, and self-propagation. https://lnkd.in/e7x_Gnvs

Heading to Google Cloud Next ’26 tomorrow? Join us at the startup showcase, where Socket’s Enrique Berrios will share a quick overview of Socket and a live demo during “Securely building & scaling on Google Cloud’s AI stack,” with Decagon, Systalyze, Cartesia, and Factory. 🗓️ Wednesday, April 22nd | 2:45–3:45pm 📍 Startups Theater, Startups Hub Link in the comments to save your seat.