According to new findings from JFrog and Socket, the Bitwarden CLI was compromised as part of a newly discovered and ongoing Checkmarx supply chain campaign.
“The version of the affected package appears to be @bitwarden/cli@2026.4.0, and the malicious code was exposed in the file ‘bw1.js’ included in the package contents,” the application security company said.
“This attack appears to leverage a compromised GitHub action in Bitwarden’s CI/CD pipeline. This is consistent with the pattern seen across other repositories affected in this campaign.”
In a post on X, JFrog said the malicious version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions, cloud secrets, and leaks data to private domains on GitHub commits.”
Specifically, malicious code is executed by the preinstallation hook and steals local, CI, GitHub, and cloud secrets. The data is leaked to the domain “audit.checkmarx”.[.]cx’ and submit to a GitHub repository as a fallback if the main method fails.
The entire sequence of actions is shown below.
Launches a credential stealer that targets artificial intelligence (AI) coding tool configurations such as Developer Secrets, GitHub Actions environments, Claude, Kiro, Cursor, Codex CLI, and Aider. The stolen data is encrypted with AES-256-GCM and exposed to audit.checkmarx.[.]cx, a domain impersonating Checkmarx. Once the GitHub token is found, the malware can use it as a weapon to inject malicious action workflows into the repository and extract CI/CD secrets.
“A single developer with @bitwarden/cli@2026.4.0 installed could become an entry point for a widespread supply chain compromise, with the attacker gaining persistent workflow injection access to all CI/CD pipelines that the developer’s token can reach,” StepSecurity said.
Although this malicious version is no longer available for download from npm, Socket said the breach follows the same GitHub Actions supply chain vectors identified in the Checkmarx campaign.
As part of this effort, we observed threat actors exploiting stolen GitHub tokens to inject new GitHub Actions workflows that capture secrets that can be used to run workflows, and using the harvested npm credentials to push malicious versions of packages that read and send malware to downstream users.
According to security researcher Adnan Khan, the attackers allegedly used a malicious workflow to expose the malicious bitwarden CLI. “I believe this is the first time a package using NPM’s trusted publications has been compromised,” Khan added.
Bitwarden CLI Attack Chain |Source: OX Security
The latest attack targeting Checkmarx is suspected to involve an attacker known as TeamPCP. As of this writing, TeamPCP’s X account has been suspended for violating the platform’s rules.
In a breakdown of the attack, OX Security said it identified the string “Shai-Hulud: The Third Coming” within the package, suggesting this may be the next stage in a supply chain attack campaign that was uncovered last year.
References to “Shai Hurd: The Third Coming”
“The latest Shai Hulud incident is just the latest in a long chain of threats targeting developers around the world. User data is publicly exposed on GitHub, but it often goes undetected because security tools typically do not flag data sent there,” said Moshe Siman Tov Bustan, Security Research Team Lead at OX Security.
“This makes the risk much more dangerous. Anyone searching GitHub could potentially find and access those credentials. At that point, sensitive data is no longer in the hands of a single threat actor, but exposed to everyone.”
As in the Checkmarx case, the stolen data is in the same format “–<3 桁>” using a Dune-themed naming scheme to a public repository created under the victim’s account. However, in an interesting twist, the malware is also designed to terminate execution on the system if the locale corresponds to Russia.
“While the shared tools strongly suggest a connection to the same malware ecosystem, the operational signatures differ in some ways, complicating attribution,” Socket said. “This suggests either a different operator using shared infrastructure, a splinter group with stronger ideological motivations, or an evolution in the campaign’s public stance.”
When asked for comment, Bitwarden acknowledged the incident and said it resulted from a compromise of the npm distribution mechanism following the Checkmarx supply chain attack, but stressed that it did not access end-user data as part of the attack. The entire statement shared with The Hacker News is reproduced verbatim below.
The Bitwarden security team has identified and contained a malicious package that was briefly distributed through the npm delivery path @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM ET on April 22, 2026, in connection with the broader Checkmarx supply chain incident.
The investigation found no evidence that end users’ vault data was accessed or compromised, or that operational data or systems were compromised. Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately.
This issue did not impact the canonical Bitwarden CLI codebase or the integrity of the stored Vault data, but rather the CLI’s npm distribution mechanism for a limited period of time.
Users who did not download packages from npm during that period were not affected. Bitwarden has completed a review of its internal environment, release path, and related systems and has not identified any additional products or environments that are affected at this time. A CVE has been issued for Bitwarden CLI version 2026.4.0 in connection with this incident.
(This is a developing story. Check back for more details.)
Source link
