🚨 SlowMist TI Alert 🚨 MistEye has monitored threat intelligence regarding a sophisticated supply chain campaign targeting official Checkmarx distribution channels. The attack involved maliciously overwriting tags in the checkmarx/kics Docker Hub repository and injecting remote payload execution logic into specific extension versions, including checkmarx/cx-dev-assist (1.17.0, 1.19.0) and checkmarx/ast-results (2.63.0, 2.66.0). This campaign specifically aims to exfiltrate developer and cloud credentials to obtain GitHub and npm tokens for lateral propagation. Consequently, this propagation has led to the compromise of the @bitwarden/cli@2026.4.0 package, which now contains a malicious file named bw1.js. These IOCs have been synchronized with clients immediately. It is advised to avoid unverified checkmarx/kics Docker images and strictly refrain from using the compromised extension or CLI versions mentioned above. Immediate auditing of development environments and rotation of any potentially exposed credentials or tokens is strongly recommended. As always, stay vigilant!