mcpAddon.js

It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow... and uses stolen npm credentials to identify writable packages for downstream republishing.

GitHub OIDC 토큰을 요청할 수 있는 id-token: write 권한도 보유하고 있었습니다... Azure 자격증명을 그대로 탈취

A threat actor compromised the pipeline(s) and distribution channels of two developer-tooling vendors... Malicious versions of Checkmarx KICS ... and the Bitwarden CLI ... were pushed to official channels and presented as legitimate releases.

On April 22, an attacker pushed malicious artifacts across three distribution channels... Docker Hub... Open VSX / VS Code extensions... GitHub Actions... Also on April 22, an attacker compromised a GitHub Action used in Bitwarden's CI/CD pipeline and published a trojanized @bitwarden/cli version 2026.4.0 to npm.

related Checkmarx developer tooling may also have been affected, including recent VS Code extension releases that introduced code capable of downloading and executing a remote addon through the Bun runtime.

This JavaScript file mcpAddon.js is executed using the Bun interpreter; supporting execution on Windows and Unix-based systems.

It also launches a PowerShell command to enumerate Azure tokens of attached tenants: powershell.exe -NoProfile -NonInteractive -Command ...

Upon execution of mcpAddon.js, Bun launches the following commands on Windows systems: C:\WINDOWS\system32\cmd.exe /d /s /c "gh auth token" ...

mcpAddon.js functions as a stand-alone token stealer which uses the victim’s shell (PowerShell or Bash) to enumerate and exfiltrate the following...

The attacker added a hidden ‘MCP addon’ feature that pulled a ~10MB payload ( mcpAddon.js ) from a hardcoded GitHub URL and executed it via the Bun runtime on extension activation... A preinstall hook invoked a loader ( bw_setup.js ) that downloaded the Bun runtime and launched an obfuscated second-stage payload ( bw1.js ).

This JavaScript file mcpAddon.js is executed using the Bun interpreter...

These extensions were modified to silently download a malicious payload called mcpAddon.js from a hardcoded GitHub URL

탈취한 GitHub 토큰을 이용해 ... 악성 워크플로우 파일(.github/workflows/format-check.yml)을 커밋하면, GitHub Actions가 이를 자동 실행하여 해당 저장소의 모든 시크릿을 아티팩트로 추출합니다.

It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow... and uses stolen npm credentials to identify writable packages for downstream republishing.

GitHub OIDC 토큰을 요청할 수 있는 id-token: write 권한도 보유하고 있었습니다... Azure 자격증명을 그대로 탈취

For each qualifying repository, the worm creates a new branch, commits the malicious workflow, and waits for it to execute.

It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow... and uses stolen npm credentials to identify writable packages for downstream republishing.

GitHub OIDC 토큰을 요청할 수 있는 id-token: write 권한도 보유하고 있었습니다... Azure 자격증명을 그대로 탈취

For each qualifying repository, the worm creates a new branch, commits the malicious workflow, and waits for it to execute.

Obfuscation Techniques (mcpAddon.js) A giant one-line bundle with mangled identifiers... A string-table decoder... Additional scrambled string decoding... Multiple gzip+base64 embedded payloads...

서버 주소를 Checkmarx의 공식 텔레메트리 엔드포인트처럼 위장한 점도 주목할 부분입니다.

It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow... and uses stolen npm credentials to identify writable packages for downstream republishing.

GitHub OIDC 토큰을 요청할 수 있는 id-token: write 권한도 보유하고 있었습니다... Azure 자격증명을 그대로 탈취

This JavaScript file mcpAddon.js is executed using the Bun interpreter...

The attacker began by injecting a backdated commit (68ed490b) into the Checkmarx/ast-vscode-extension repository... spoofed to look like it was authored in 2022... attached to a real commit as its parent...

This workflow uses a clever trick—${{ toJSON(secrets) }}—to collapse every secret in the repository into a single string

mcpAddon.js is designed to sweep development environments for high-value secrets, including GitHub tokens, npm tokens, AWS/Azure/GCP credentials, SSH keys, environment variables, and configuration files for Claude and other AI tools.

Both malicious payloads attempted to harvest the following sensitive information: GitHub and npm tokens SSH keys Cloud provider credentials AI assistant configurations

Both malicious payloads attempted to harvest the following sensitive information: GitHub and npm tokens SSH keys Cloud provider credentials AI assistant configurations... mcpAddon.js is designed to sweep development environments for high-value secrets, including GitHub tokens, npm tokens, AWS/Azure/GCP credentials, SSH keys...

The malware harvests developer and cloud credentials... It also abuses stolen GitHub tokens to inject a new GitHub Actions workflow... and uses stolen npm credentials to identify writable packages for downstream republishing.

It then attempts to republish those packages with the malicious payload, enabling “rapid lateral spread across the npm ecosystem”.

Secret-aware targeting: Before taking action, it checks whether a repository (or its parent organization) has configured GitHub Actions secrets. Repositories without secrets are ignored...

The malware harvests developer and cloud credentials, compresses and encrypts the results...

The attacker added a hidden ‘MCP addon’ feature that pulled a ~10MB payload ( mcpAddon.js ) from a hardcoded GitHub URL... A preinstall hook invoked a loader ( bw_setup.js ) that downloaded the Bun runtime and launched an obfuscated second-stage payload ( bw1.js ).

수집된 데이터는 압축 및 암호화되어 audit.checkmarx[.]cx/v1/telemetry 라는 외부 서버로 전송됩니다.

This harvested data is then exfiltrated to hxxps://audit[.]checkmarx[.]cx/v1/telemetry ... the attacker created public repositories in victim GitHub accounts and stored the encrypted stolen data inside them – essentially using the victim's own infrastructure as a dead drop.

The malware uses stolen GitHub tokens to create repositories under the victim’s own account with the deceptive description “Checkmarx Configuration Storage”.

Analysis of the malware’s GitHub abuse logic and live public repository artifacts shows that the threat actor abuses GitHub credentials to create public repositories used for exfiltration staging.