SecureNexus GRC
SECURENEXUS
  • Home
  • Blog
  • Case Studies
  • About
Get Started
SecureNexus GRCSECURENEXUS

Empowering digital organizations with unified security — through connected insights, trusted expertise, and end-to-end coverage.

A venture of

X-Biz TechVentureswww.xbizventures.com

Services

  • Regulatory Consulting
  • Red Teaming
  • Cloud Security
  • Security Operations
  • Security Training
  • Product Advisory

Products

  • Perimeter (ASM)
  • Cloud Security Posture Management
  • Vulnerability Management
  • SOVA (SCA)
  • Third Party Risk Management

Company

  • About Us
  • Contact
  • Blog
  • Case Studies

Resources

  • Security Assessment
  • Breach Probability

Contact

[email protected]
+91 1800-266-8575

Certifications & Compliance

Certifications and Empanelment — D.U.N.S Registered, ISO 9001:2015, BQC, IAF, ISO 27001, Nasscom, ESC, CERT-IN Empanelled
Offices

Mumbai (HQ)

118-120 IJMIMA Complex, Mindspace, Malad West, Mumbai 400064

Pune (GCC)

Unit 2-B, 1st Floor, Cerebrum IT Park, Kalyani Nagar, Pune 411014

Mumbai (Tech & Innovation)

315, 3rd Floor, Lodha Supremus, Andheri East, Mumbai 400069

Dubai

M35, Warba Centre, Al Muraqqabat, Deira, Dubai

X-Biz TechVentures

© 2026 X-Biz TechVentures Pvt. Ltd. All rights reserved.

SecureNexus

Security Intelligence

Expert analysis on threats, compliance, and the evolving security landscape.

TeamPCP Hits Checkmarx: Inside the cx-dev-assist and KICS Supply Chain Compromise
Security
2026-04-23·9 min read·By Yash Kumar

TeamPCP Hits Checkmarx: Inside the cx-dev-assist and KICS Supply Chain Compromise

On April 22, 2026, Checkmarx disclosed a supply chain security incident affecting several of its publicly distributed artifacts. Malicious versions of KICS Docker images, a GitHub Action (ast-github-action 2.3.35), and two VS Code extensions (ast-results 2.63/2.66 and cx-dev-assist 1.17/1.19) were published during a short window. Previously published safe versions were not overwritten, so customers pinned to pre-window versions are not affected. Less than 24 hours later, the same campaign reached Bitwarden with a malicious @bitwarden/[email protected] published via a compromised CI/CD GitHub Action on npm. The authoritative C2 indicators are the typosquat domains checkmarx.cx (91.195.240.123) and audit.checkmarx.cx (94.154.172.43).

Topics

19 articles

A Supply Chain Attack Inside the SAP CAP npm Ecosystem: SOVA's Walkthrough of @cap-js and mbt
Security

2026-04-30 · 23 min read

A Supply Chain Attack Inside the SAP CAP npm Ecosystem: SOVA's Walkthrough of @cap-js and mbt

On April 29, 2026, four packages in the SAP Cloud Application Programming (CAP) ecosystem — @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite, and mbt — were trojanised in a three-hour window via a Shai-Hulud worm variant published through compromised GitHub Actions OIDC. SecureNexus SOVA flagged all four with deterministic BLOCK verdicts on tarball capability shape. This walkthrough covers the surgical drop pattern, deobfuscated payload internals, IMDSv2 credential harvesting, GitHub GraphQL exfiltration, and a capability-based gate policy you can deploy today.

By Omkar Pote

TeamPCP Hits Checkmarx: Inside the cx-dev-assist and KICS Supply Chain Compromise
Security

2026-04-23 · 9 min read

TeamPCP Hits Checkmarx: Inside the cx-dev-assist and KICS Supply Chain Compromise

On April 22, 2026, Checkmarx disclosed a supply chain security incident affecting several of its publicly distributed artifacts. Malicious versions of KICS Docker images, a GitHub Action (ast-github-action 2.3.35), and two VS Code extensions (ast-results 2.63/2.66 and cx-dev-assist 1.17/1.19) were published during a short window. Previously published safe versions were not overwritten, so customers pinned to pre-window versions are not affected. Less than 24 hours later, the same campaign reached Bitwarden with a malicious @bitwarden/[email protected] published via a compromised CI/CD GitHub Action on npm. The authoritative C2 indicators are the typosquat domains checkmarx.cx (91.195.240.123) and audit.checkmarx.cx (94.154.172.43).

By Yash Kumar

The Publish Pipeline Is the New Attack Surface: Lessons from the Bitwarden Workflow Incident
Security

2026-04-23 · 8 min read

The Publish Pipeline Is the New Attack Surface: Lessons from the Bitwarden Workflow Incident

On April 22, 2026, a malicious version of @bitwarden/[email protected] was published to npm through a compromise of Bitwarden's own publishing workflow. The exposure window was approximately 93 minutes (5:57 PM to 7:30 PM ET). Bitwarden confirmed the compromise was connected to the ongoing Checkmarx supply chain incident disclosed the same day. End-user vault data, production systems, and the legitimate Bitwarden codebase were not impacted; only users who installed @bitwarden/[email protected] from npm during that narrow window were potentially affected. This post covers what Bitwarden has officially confirmed, the response steps for affected teams, and the broader lesson that CI/CD publishing pipelines are themselves the attack surface.

By Yash Kumar

Inside forge-jsx: Anatomy of a Multi-Platform npm RAT Masquerading as an Autodesk Forge SDK
Security

2026-04-20 · 10 min read

Inside forge-jsx: Anatomy of a Multi-Platform npm RAT Masquerading as an Autodesk Forge SDK

npm package [email protected] — marketed as a Node.js integration layer for Autodesk Forge — is a multi-platform RAT and infostealer. This technical breakdown walks through the postinstall kill chain, the LaunchAgent/systemd/Task Scheduler persistence primitives, the .env and shell-history harvesting modules, and the AES-256-GCM-obfuscated C2 blob, with SecureNexus SOVA analysis evidence.

By Yash Kumar

The Protocol No One Secured: How Anthropic’s MCP Turns AI Agents into Remote Execution Engines
Security

2026-04-20 · 5 min read

The Protocol No One Secured: How Anthropic’s MCP Turns AI Agents into Remote Execution Engines

Anthropic’s MCP introduces a critical design flaw where AI agents can execute actions based on untrusted tool responses. This turns AI systems into unintended remote execution engines, exposing risks like RCE, data leaks, and full workflow compromise. The issue isn’t a bug—it’s a broken trust model requiring a shift to secure, zero-trust AI architectures.

By Arjun Gupta

Your Frontend Is a Goldmine: Hidden Secrets in JavaScript Bundles
Security

2026-04-11 · 9 min read

Your Frontend Is a Goldmine: Hidden Secrets in JavaScript Bundles

Minification isn't encryption. Every JavaScript bundle your app ships is readable in seconds — and attackers know it. This post breaks down exactly what they find: hardcoded API keys, internal endpoints, client-side business logic, and exposed source maps. Plus the five controls that make sure none of it leaves your codebase.

By Arjun Gupta

Post-Install Scripts: The Most Dangerous Feature Nobody Talks About
Security

2026-04-10 · 8 min read

Post-Install Scripts: The Most Dangerous Feature Nobody Talks About

Every npm install silently executes lifecycle scripts from every package in your dependency tree — no prompts, no sandboxing, with full system access. This post breaks down how post-install scripts work, why they are the most exploited vector in npm supply chain attacks, and the five controls that eliminate the risk.

By Arjun Gupta

GlassWorm's Zig Dropper: Why Every IDE Is Now Part of the Attack Surface
Security

2026-04-10 · 10 min read

GlassWorm's Zig Dropper: Why Every IDE Is Now Part of the Attack Surface

GlassWorm is a multi-ecosystem supply chain campaign that embeds invisible Unicode-obfuscated payloads in GitHub repositories, npm packages, and VS Code extensions. Its latest evolution uses a Zig-compiled native dropper to spread across developer IDEs, harvesting credentials and enabling autonomous supply chain propagation. This analysis breaks down the infection chain, explains why the IDE is now a Tier-0 attack target, and provides actionable controls for security teams.

By Vitish Bhardwaj

VeloraDEX SDK Poisoned: Anatomy of an npm Supply Chain Attack Targeting DeFi Developers
Security

2026-04-08 · 12 min read

VeloraDEX SDK Poisoned: Anatomy of an npm Supply Chain Attack Targeting DeFi Developers

On April 7, 2026, a malicious version of the VeloraDEX SDK — the JavaScript library used by DeFi applications to aggregate liquidity across decentralized exchanges — was published to npm. Version 9.4.1 of @velora-dex/sdk contained a three-line payload prepended to the bundled distribution file that silently downloaded and executed a remote bash script from a server in Romania. The malicious code was not present anywhere in the GitHub repository. Only the npm tarball carried the backdoor, and it ran on every import — no install hooks, no postinstall scripts, nothing that conventional security scanners flag. For a package that sits in the dependency tree of DeFi applications handling real money, this is about as dangerous as supply chain attacks get.

By Sunil Kumar

Page 1 of 3